Slashdot Mirror
Apple Responds to MOAB
frdmfghtr writes "Apple has released what appears to be the first security update as a result of the "Month of Apple Bugs." While the Apple site doesn't explicitly say that the fix was a result of the MOAB, it does point to a sample Quicktime file that triggers the overflow flaw (well, sort of...it says the file is there but doesn't provide any links)."
from the linked apple release: " A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007). This update addresses the issue by performing additional validation of RTSP URLs."
is that not explicit enough??
save the GNUs!
No, it's still going strong.
:-)
http://projects.info-pull.com/moab/
One could argue the significance of each bug, but I would say the quantity is not lacking. I was sure I would see a few days or a week, but it looks like there has been a total of 23 when I visited the site.
I'd have to say Steve Jobs is a core daemon
Never ask for directions from a two-headed tourist! -Big Bird
No, this isn't the only bug, nor is it the most serious.
There are remote code execution and escalation of privileges bugs that are still yet to be fixed, but at least it appears that these bugs are being taken seriously and will hopefully be fixed.
There are all sorts of people trying to find bugs in Linux and Windows, but not nearly as many people are doing so for OS X. As a Mac user, I am glad someone is doing this now and finding these bugs and exposing them to the public and to Apple before there are exploits out in the wild.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 is the magic number.
MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.
This may be true and there may be better ways (using the Bug Report server for example), but if the end result is getting these problems fixed and a better system out of it, then I am happy with the effort put into it.
Maybe we need something like this for Linux and Windows?
Jumpstart the tartan drive.
Not sure I'd agree with that, actually. Apple is generally regarded as being slower than Microsoft at patching problems. According to the MOAB folks the QuickTime HREF universal XSS was patched slowly and then only for MySpace (huh?). Plugin XSS is pretty serious! It's possible they got better, but according to this study from 2006 it took them 91 days on average to fix known exploits.
Yes, of course, it's silly to call it the "Month of Apple Bugs" when they are also reporting exploits in third party software. Unfortunately, it's also understandable - the fact that many security problems in Windows are caused by third party software does not stop people blaming Microsoft for the insecurity of the Windows platform. Given that quite a few of these third party exploits are privilege escalation (eg instant root), it is Apples problem. If third party devs cannot write secure code then they'll end up in the same situation as Windows - and it seems they can't write secure code (no surprises here). Apple are already being targetted by attackers.
I quite agree that these "Month of X bugs" things seem to be quite irresponsible and even immature. I'm not sure what the point of them is, except to make a bad situation worse.
I was more troubled by the way they treated Omniweb...
Even more troubling is the hubbub surrounding their Colloquy vulnerability, mentioned in this article. They are accused of actually using the exploit on a public IRC channel before releasing the vulnerability and publishing a log of that hack in the announcement. I don't know if it is true, but given their behavior with the rest of this project they're slipping more and more towards the blackhat end of the spectrum.
I am see several comments from folks stating that they are surprise that Apple is taking steps to patch issues ("taking it seriously", etc.). I find that a little strange comment given that Apple is actually rather good about addressing vulnerabilities that others report to them and give them credit (if they reported it to Apple). Granted Apple's general no comment policy until investigated and patched can be a little annoying if you report an issue and would like to know more but that policy doesn't mean that Apple doesn't take security reports seriously.
Just review all of the attribution Apple has given for the many vulnerabilities they have addressed over the years. For example look at the security release announcements for 2006 (mailing list archive).
As a side note a few MOAB issues are centered on group admin writable locations that can be used to take over the system is you have local access (possibly via a remote exploit). It may take Apple a little while to address this type of issue given the possibility of permission changes causing Apple and 3rd party software (installers most likely) to fail for customers. Luckily a few new security related feature will debut in Mac OS X 10.5 that will make this type of attack harder to pull off (us 3rd party developers should adopt them ASAP).
A brief listing...
CoreGraphics
CVE-ID: CVE-2006-1444
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Characters entered into a secure text field can be read
by other applications in the same window session
Description: Quartz Event Services provides applications with
the ability to observe and alter low-level user input events.
Normally, applications cannot intercept events when secure event
input is enabled. However, if "Enable access for assistive
devices" is on, Quartz Event Services can be used to intercept
events even when secure event input is enabled. This update
addresses the issue by filtering events when secure event input
is enabled. This issue does not affect systems prior to Mac OS X
v10.4. Credit to Damien Bobillot for reporting this issue
Keychain
CVE-ID: CVE-2006-1446
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact: An application may be able to use Keychain items when
the Keychain is locked
Description: When a Keychain is locked, it is not possible for
applications to access the Keychain items it contains without
first requesting that the Keychain be unlocked. However, an
application that has obtained a reference to a Keychain item
prior to the Keychain being locked may, in certain
circumstances, be able to continue using that Keychain item
regardless of whether the Keychain is locked or unlocked. This
update addresses the issue by rejecting requests to use Keychain
items when the Keychain is locked. Credit to Tobias Hahn of HU
Berlin for reporting this issue.
GDB
CVE-ID: CVE-2006-4146
Available for: Mac OS X v10.4 and later
Impact: Opening a maliciously-crafted DWARF binary with GDB may
lead to arbitrary code execution
Description: GDB, the GNU Debugger, is susceptible to multiple
vulnerabilities that may lead to arbitrary code execution when
loading maliciously-crafted DWARF binaries. This update
addresses the issues by performing additional validation while
handling DWARF binaries. Credit to Will Drewry and Tavis Ormandy
of the Google Security Team for reporting this issue.
etc.
Yeah we have. It is actually rather easy to do. Personally I would file a defect with Apples bug-reporter system and then send an email into the product-security email address with a reference to the bug number.
http://www.apple.com/support/security/
http://developer.apple.com/bugreporter/
The summary is wrong. Apple specifically said that the fix is in response to a report from MOAB.
To clarify, they say it was made public on MOAB's Web site. They did not say it was in response to that announcement, nor did they imply that MOAB had reported the problem to Apple, via the normal bug report channels.
See their update notice.
Yes, QuickDraw is deprecated. But it's still used by quite a bit of common software. (Such as MS Office, or nearly anything from Adobe.)
-- Tim Buchheim