Slashdot Mirror
Apple Responds to MOAB
frdmfghtr writes "Apple has released what appears to be the first security update as a result of the "Month of Apple Bugs." While the Apple site doesn't explicitly say that the fix was a result of the MOAB, it does point to a sample Quicktime file that triggers the overflow flaw (well, sort of...it says the file is there but doesn't provide any links)."
First thing I thought of was this.
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
Day of obvious Microsoft Bugs?
Sorry, couldn't resist.
Vote monkeys into Congress. They are cheaper and more trustworthy.
I haven't heard much coverage on the MOAB since the QuickTime revelation -- haven't they dug up any further baloney in the OS or its core of Jobsian iApps?
If the highlight of the month is the damn QuickTime thing, this has worked out to be a fairly dull bug hunt. The submitter should've at least linked up the MOAB reference with some supporting fun.
Also: is Steve Jobs technically a bug or a feature?
These stories are free but worth money.
from the linked apple release: " A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007). This update addresses the issue by performing additional validation of RTSP URLs."
is that not explicit enough??
save the GNUs!
I speak the truth! There are No Bugs In The Macintosh! Those whom you have heard saying there are bugs? Where are they now? They are not in the Macintosh. They are roasting in the stomach of the Jobs.
Even if there were Bugs in the Mac OS, the infidels would not find them. We would know about them first and Fix them forthwright. They will never defeat us for 1000 generations.
We welcome the discovery of bugs in the Macintosh! We have set a trap for them and when they fall into it, we will be victorious, Jobs willing! We will ensnare them with the traps we have set and will cast them out of the kernel and back to where they came from!
My opinions are my own, and do not necessarily represent those of my employer.
OH NOES! The dam is about to overflow! RUN FOR YOU APPLES!
WulframII - Free Online Mutiplayer 3D Tank Shooting Game
They've succeeded in furthering the silly notion that OSX is more secure. :( Here we have 20 some odd bugs and not a SINGLE disastrous outbreak among OSX computers. Will someone please find the ball and GET ON IT?!? Maybe they'll have some amazingly earth shattering ones towards the end of the month.
If this little act of theirs doesn't result in a major worm/virus outbreak, then that means that even if you SHOW people how to break the system they still can't, again furthering the notion that OSX is somehow more secure than Windows!!
Quicktime is right up there with Realplayer. They are both viruses of the worst kind.
As much as I hate Flash, at least they have the decency not to take over your computer.
How dare you speak His name! HE is whom who we may never speak thy name!
Praise be the co-creator!
What is it with the human race and creating an acronym for every damn thing?
So what is the proper response to the MOAB people? They are revealing real bugs, some of which could be exploitable. Ignoring them leads to decreased security. At the same time they have behaved very irresponsibly with regard to those bugs they have found, not notifying the vendor and providing time to fix before publication, nor following the route of immediate disclosure, the MOAB people seem to think it is all right to sit on bugs they find until the most convenient time for them to gain publicity. Worse, they intentionally space out the publication of the bugs, making a Dev/QA cycle to fix them have to wait till the end or commit to missing some. As such they have maximized the time of exposure for these bugs which encourages worms by giving malware authors as much time as possible.
Obviously increasing the security of end users is not the top priority. Accurately informing the public does not also seem to be their top concern since they named their project "Month of Apple Bugs" while many of the bugs they've announced are in third-part code (some of it cross-platform) that has nothing to do with Apple. It seems to me all they care about is publicity and sensationalizing themselves in the hope that they can capitalize upon it. Looking at them in that light, it makes sense to spread out the announcement of these bugs and not inform vendors beforehand because it increases the likelihood that people will be compromised, giving them the opportunity to go to news outlets ands say, "see we told you this might happen."
Given all of the above, what can be done? I'd certainly never want to work with people who eschew responsible disclosure and are interested only in themselves, nor would I trust them. But any press is good press, and most people are not security people and won't even understand what it is these people are doing, they'll just know they got press for security research. Is there any way the security or computing community can discourage this crap in the future and make it clear that irresponsible behavior like this is unacceptable?
This fix is in line with the typical timing and attention given Apple security updates - relatively quick and competent.
This pretty much busts MOAB's claims of Apple's ignorance and/or hostility at bug reports.
Apple has been doing better than most, fixing 99.9% of their problems through their established channels without MOAB's brand of nonsense. Count all the bugs fixed thru the normal dev bug report process. Count all those fixed by MOAB's. Compare.
IIRC nearly a third of their "Apple Bugs" are 3rd party problems to begin with.
MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.
If Apple users make you cry, go kick your tires.
You want the world to believe that you're a responsible developer that anyone will listen to or hire, prove it in daylight.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Not to let Apple off the hook, but it seems to me this could be handled better.
The revolution will NOT be televised.
Maybe this is Apples strategy to any future iPod pre^H^H^Hcontenders.
Slashdot is kind of like Playboy; we aren't here to read the articles.
I've still never seen an OSX computer out of the store...
Submitter might want to read the Apple article that was linked to. It specifically mentions MOAB and where to find the QT file.
Any other vets out there who keep reading these headlines about the MOAB and wondering how Apple's Cupertino campus survived the "mother of all bombs"? I mean, you gotta love those later-day daisy-cutters and once you've seen one of those things falling out of a C-130, the MOAB acronym just doesn't work for anything else.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
I don't know about that. Apple releases updates routinely and seem to be on a monthly schedule. I wouldn't say it was clear case of cause and effect.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I am see several comments from folks stating that they are surprise that Apple is taking steps to patch issues ("taking it seriously", etc.). I find that a little strange comment given that Apple is actually rather good about addressing vulnerabilities that others report to them and give them credit (if they reported it to Apple). Granted Apple's general no comment policy until investigated and patched can be a little annoying if you report an issue and would like to know more but that policy doesn't mean that Apple doesn't take security reports seriously.
Just review all of the attribution Apple has given for the many vulnerabilities they have addressed over the years. For example look at the security release announcements for 2006 (mailing list archive).
As a side note a few MOAB issues are centered on group admin writable locations that can be used to take over the system is you have local access (possibly via a remote exploit). It may take Apple a little while to address this type of issue given the possibility of permission changes causing Apple and 3rd party software (installers most likely) to fail for customers. Luckily a few new security related feature will debut in Mac OS X 10.5 that will make this type of attack harder to pull off (us 3rd party developers should adopt them ASAP).
A brief listing...
CoreGraphics
CVE-ID: CVE-2006-1444
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Characters entered into a secure text field can be read
by other applications in the same window session
Description: Quartz Event Services provides applications with
the ability to observe and alter low-level user input events.
Normally, applications cannot intercept events when secure event
input is enabled. However, if "Enable access for assistive
devices" is on, Quartz Event Services can be used to intercept
events even when secure event input is enabled. This update
addresses the issue by filtering events when secure event input
is enabled. This issue does not affect systems prior to Mac OS X
v10.4. Credit to Damien Bobillot for reporting this issue
Keychain
CVE-ID: CVE-2006-1446
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact: An application may be able to use Keychain items when
the Keychain is locked
Description: When a Keychain is locked, it is not possible for
applications to access the Keychain items it contains without
first requesting that the Keychain be unlocked. However, an
application that has obtained a reference to a Keychain item
prior to the Keychain being locked may, in certain
circumstances, be able to continue using that Keychain item
regardless of whether the Keychain is locked or unlocked. This
update addresses the issue by rejecting requests to use Keychain
items when the Keychain is locked. Credit to Tobias Hahn of HU
Berlin for reporting this issue.
GDB
CVE-ID: CVE-2006-4146
Available for: Mac OS X v10.4 and later
Impact: Opening a maliciously-crafted DWARF binary with GDB may
lead to arbitrary code execution
Description: GDB, the GNU Debugger, is susceptible to multiple
vulnerabilities that may lead to arbitrary code execution when
loading maliciously-crafted DWARF binaries. This update
addresses the issues by performing additional validation while
handling DWARF binaries. Credit to Will Drewry and Tavis Ormandy
of the Google Security Team for reporting this issue.
etc.
...by doing security review and finding some flaws that shouldn't be there in OS X.
We value OS X for its security and Unix-derived security and stability. How can you all claim to be good Commie open-sourcers like Stallman is and still oppose any peer-review that leads to the improvement of one or more BSD distro's security?
Many of these flaws are common on all platforms. OS X developers will have to be more careful in coding as this review shows. If we want to go on being secure on our virus-free platform, Apple and our developers need to do the code reviews for security.
How is it "flamebait" to link to an article about the MOAB people being accused of criminal activities related to their project?
This is about as far from flamebait as I can imagine.
yeah, sure, spoken like a true member of a marginalized fringe group. I'll shoot you next time in CS or BF2. Oh wait... you can't play those on osx
many of the bugs are problems that are just outright bizare in thinking of how they'd get executed.
"Here is a malformed HFS+ filesystem that can potentially cause a kernel panic and cause arbitrary code execution. you should all be quaking in your boots."
now just one damn minute... first, you have to get me a DMG, which, apparently, will instantly panic the kernel. Fine. so what? In real life, i'd throw out the dmg file, download it again, it would panic again, and i'd give up.
I'm missing (and it could just be me) how that's in any way exploitable in any meaningful sense.
i think the problem is that MOAB is putting on a show of bugs.. and nothing more. These are bugs that either made it past the guys in Cupertino, or they just didn't see them as that big of a deal, and figured they'd get to them eventually.
Some of these bugs are bad and could cause Macs the world over to get pwn3d and get used to do whatever you can do with an pwn3d Windows box. Fine.
But many of them are just, well.. bugs that causes the system to crash. So the hell what? Without some kind of setup and extreme set of circumstances, the majority of the bugs here crash your system, and then you reboot...
Microsoft's problem has been "be a user on the internet with their software, get pwn3ed." I'm trying to see which of these bugs would give Mac users similar "functionality".
#21 requires a local user to take advantage of this escalation problem - on a machine that they are probably already the only user of
#20 is the same thing... as is #8, and #15.
the bulk of the others are "DoS, cause computer to crash with possibility of arbitrary code execution..." and that assumes the panic condition is consistent.
the only actual scary ones are #19 (not apple's software, and i don't even know if it could actually allow arbitrary code execution), #17, #1 (now fixed), #2 (not apple, and fixed), #4, and #20... so, 6... and 4 are left.
this is just stupid.. my machines are still buck naked on the internet, and i'm still not scared at all.
guns kill people like spoons make Rosie O'Donnell fat.
See their update notice.
so... January is MOAB?
but every month, including this one, is MOM$B
---
jeez, these MOAB guys are real douche bags... too bad (for them) what comes around goes around
The Admin and the Engineer
To mention the Moabites :-)
(Look 'em up in the OT.)
Apple claims to have fixed the overflow problem for both QuickTime for Mac and for Windows, but the fix for the Windows version is nowhere to be found. The Apple Downloads web page only has Mac fixes on it.
STFU
It's not impossible to report a security bug to apple and get a response.
Though a misunderstanding of UNIX permissions, I reported what I thought was a security problem to apple. Apple responded, followed up with me, by then I'd figured out that I was a moron, and what I could do to make what I want happen.
The main point was that Apple was quick to respond (hours). I can't imagine that they'd be any less responsive for a REAL security problem, that the reporter could demonstrate.
If you're curious on what I was stupid about, if you own the directory, you can overwrite any file in that directory, no matter who owns the file. It did not seem right, but it is standard UNIX behavior (Linux, OS X, Solaris all behave this way). OS X even has a fix for this by setting the immutable flag with chflags.
It turns out that this is even used in the MOAB. You can overwrite some of the sticky bit files if you are an admin (w/o authenticating) because the folder is owned by the admin group. Then, when fix permissions is run, it'll reset the sticky bit and make the file owned by root again. Then you just run the file, and get instant root access.
Any sticky bit root programs need to be in a folder owned by root/wheel, have no write permission except by the root user, and the same for the individual file.
And fix permissions should be updated to use a tripwire on anything it gives sticky bit permissions to, so it can also note if someone has tried to change a file that, by definition, is a possible attack vector. And it wouldn't hurt to mark them as immuatable with schg.
The MOAB people are really bright, but also out for the notoriety. They claim that "you can't fix this, as a repair permissions will undo all this".
Which is wrong, and they should know it. For one, you can mark those files as immutable, which will prevent their being over-written w/o using super user privs (instead of just admin privs). And even root can't overwrite an immutable file w/o removing the flag first. If the attacker already has root privs, you've already lost, and they won't be messing with this.
Secondly, you can easily hack repair permissions to have the settings you want on those files. Just make an installer package which over-writes those files, with the permissions you want. Once that package is installed, repair permissions should keep the permissions the way you've set them. I've not tested that, but it should work.
Fetchmail (CVE-2005-2335) assigned 07-21-2005
redhat fixed 07-25-2005
Apple fixed 08-01-2006 (a year later)
Gunzip/Gzip (CVE-2005-0988) assigned 04-06-2005
Redhat fixed 06-13-2005
Apple fixed 08-01-2006 (a year later)
Telnet (CVE-2005-0488) assigned 2-20-2005
Redhat fixed 06-14-2005
Apple fixed 08-01-2006 (a year later)
ClamAV (CVE-2006-1614) assigned 04-05-2006
SuSE fixed 04-11-06 (not a RH package)
Apple fixed 05-11-2006
Libcurl (CVE-2005-4077) assigned 12-08-2005
Redhat fixed 12-20-2005
Apple fixed 05-11-2006
Ruby (CVE-2005-2337) assigned 07-21-2005
Redhat 10-25-2005
Apple fixed 05-11-2006 (almost a year later)
Sudo (CVE-2005-1993) assigned 06-20-2005
Redhat fixed 06-29-2005
Apple fixed 10-29-2005
If you don't care about this and pretend like there isn't an issue, then Apple won't care either. Look at Microsoft, they only made security a priority when their own users started to complain.
Obviously increasing the security of end users is not the top priority.
Why would it be?
Do they have any responsibility to report anything they find? Do they have a personal interest in OSX being secure? Are they being paid by Apple to find bugs? Are they supposed to fix it for them?
No, No, No and No.
So really: what's your fucking problem?
So what is the proper response to the MOAB people?
Duh. The software developers fix bugs ASAP after they become aware of them. It's that simple.
Given all of the above, what can be done?
Do you work for Apple? If not, it's not your software. So why do you care? If you do work for Apple, congratulations - you have some bugs to fix.
I'd certainly never want to work with people who eschew responsible disclosure and are interested only in themselves
I guess you'll never get a job then, since your goal would involve personal profit.
Is there any way the security or computing community can discourage this crap in the future and make it clear that irresponsible behavior like this is unacceptable?
Quit being so terrified about it and fix the problems? You can't force everyone to conform to your world view of being a perfect bug-reporter - they will simply move underground and vanish if you try. You sound like a schoolteacher who's afraid of their students - who in turn smell fear and terrorize you.
Or maybe you're a Mac user who's been throwing stones at Windows, only to suddenly find out that you live in a glass house.