Slashdot Mirror
Apple Responds to MOAB
frdmfghtr writes "Apple has released what appears to be the first security update as a result of the "Month of Apple Bugs." While the Apple site doesn't explicitly say that the fix was a result of the MOAB, it does point to a sample Quicktime file that triggers the overflow flaw (well, sort of...it says the file is there but doesn't provide any links)."
First thing I thought of was this.
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
Day of obvious Microsoft Bugs?
Sorry, couldn't resist.
Vote monkeys into Congress. They are cheaper and more trustworthy.
from the linked apple release: " A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007). This update addresses the issue by performing additional validation of RTSP URLs."
is that not explicit enough??
save the GNUs!
No, it's still going strong.
:-)
http://projects.info-pull.com/moab/
One could argue the significance of each bug, but I would say the quantity is not lacking. I was sure I would see a few days or a week, but it looks like there has been a total of 23 when I visited the site.
I'd have to say Steve Jobs is a core daemon
Never ask for directions from a two-headed tourist! -Big Bird
I speak the truth! There are No Bugs In The Macintosh! Those whom you have heard saying there are bugs? Where are they now? They are not in the Macintosh. They are roasting in the stomach of the Jobs.
Even if there were Bugs in the Mac OS, the infidels would not find them. We would know about them first and Fix them forthwright. They will never defeat us for 1000 generations.
We welcome the discovery of bugs in the Macintosh! We have set a trap for them and when they fall into it, we will be victorious, Jobs willing! We will ensnare them with the traps we have set and will cast them out of the kernel and back to where they came from!
My opinions are my own, and do not necessarily represent those of my employer.
They've succeeded in furthering the silly notion that OSX is more secure. :( Here we have 20 some odd bugs and not a SINGLE disastrous outbreak among OSX computers. Will someone please find the ball and GET ON IT?!? Maybe they'll have some amazingly earth shattering ones towards the end of the month.
If this little act of theirs doesn't result in a major worm/virus outbreak, then that means that even if you SHOW people how to break the system they still can't, again furthering the notion that OSX is somehow more secure than Windows!!
So what is the proper response to the MOAB people? They are revealing real bugs, some of which could be exploitable. Ignoring them leads to decreased security. At the same time they have behaved very irresponsibly with regard to those bugs they have found, not notifying the vendor and providing time to fix before publication, nor following the route of immediate disclosure, the MOAB people seem to think it is all right to sit on bugs they find until the most convenient time for them to gain publicity. Worse, they intentionally space out the publication of the bugs, making a Dev/QA cycle to fix them have to wait till the end or commit to missing some. As such they have maximized the time of exposure for these bugs which encourages worms by giving malware authors as much time as possible.
Obviously increasing the security of end users is not the top priority. Accurately informing the public does not also seem to be their top concern since they named their project "Month of Apple Bugs" while many of the bugs they've announced are in third-part code (some of it cross-platform) that has nothing to do with Apple. It seems to me all they care about is publicity and sensationalizing themselves in the hope that they can capitalize upon it. Looking at them in that light, it makes sense to spread out the announcement of these bugs and not inform vendors beforehand because it increases the likelihood that people will be compromised, giving them the opportunity to go to news outlets ands say, "see we told you this might happen."
Given all of the above, what can be done? I'd certainly never want to work with people who eschew responsible disclosure and are interested only in themselves, nor would I trust them. But any press is good press, and most people are not security people and won't even understand what it is these people are doing, they'll just know they got press for security research. Is there any way the security or computing community can discourage this crap in the future and make it clear that irresponsible behavior like this is unacceptable?
I'm told he's the irreplaceable core of Apple inc, so I guess he's neither a bug nor a feature; he's Apple's Internet Explorer.
This fix is in line with the typical timing and attention given Apple security updates - relatively quick and competent.
This pretty much busts MOAB's claims of Apple's ignorance and/or hostility at bug reports.
Apple has been doing better than most, fixing 99.9% of their problems through their established channels without MOAB's brand of nonsense. Count all the bugs fixed thru the normal dev bug report process. Count all those fixed by MOAB's. Compare.
IIRC nearly a third of their "Apple Bugs" are 3rd party problems to begin with.
MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.
If Apple users make you cry, go kick your tires.
You want the world to believe that you're a responsible developer that anyone will listen to or hire, prove it in daylight.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
No, this isn't the only bug, nor is it the most serious.
There are remote code execution and escalation of privileges bugs that are still yet to be fixed, but at least it appears that these bugs are being taken seriously and will hopefully be fixed.
There are all sorts of people trying to find bugs in Linux and Windows, but not nearly as many people are doing so for OS X. As a Mac user, I am glad someone is doing this now and finding these bugs and exposing them to the public and to Apple before there are exploits out in the wild.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 is the magic number.
I haven't heard much coverage on the MOAB since the QuickTime revelation -- haven't they dug up any further baloney in the OS or its core of Jobsian iApps?
They've revealed a number of potentially exploitable bugs, although nothing to really worry about right away, and a number more third party bugs that have little or nothing to do with Apple.
If the highlight of the month is the damn QuickTime thing, this has worked out to be a fairly dull bug hunt.
The most interesting thing to come out of this so far is actually a third party bug in Colloquy, a popular IRC client. The bug itself is not all that novel, but the explanation of the bug that the MOAB team allegedly, originally posted showed them using the vulnerability to hack users on the popular #macdev on Freenode IRC. Basically, many people are claiming they posted a log of them not only behaving unethically, but illegally before even announcing the vunlerability. The explanation of the bug they now post no longer contains that log. For more information check out the article and the accompanying forums.
They have VLC and OmniWeb in the list though. As these are not directly Apple bugs, I would have to lower the number to 21.
They also have Transmit, Rumpus, Colloquy, APE, and the PDF spec listed, none of which Apple wrote (although Apple did write an implementation of the last). To be generous, you'll have to drop the number to 17.
Oh
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
(Offtopic, but who (besides some disgruntled mod) cares...)
;P)
Acronyms and product names like XY6342w are not a 'human' thing. It's an engineer/geek thing. In fact I was thinking about this today: part of the success of the iPod, for example, could be thanks to its simple, memorable name. It really stands out in the myriad of alphabetic-numerically named 'generic' MP3 players. I'm sure the iPod would still be quite succesful if it was called Apple MP3Player E3807-92i, but that kind of names just aren't nice or 'sexy'. Real word names just hit home harder. (OK, somebody could argue that 'iPod' is not a real word, but I don't care.
I don't know about that. Apple releases updates routinely and seem to be on a monthly schedule. I wouldn't say it was clear case of cause and effect.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I am see several comments from folks stating that they are surprise that Apple is taking steps to patch issues ("taking it seriously", etc.). I find that a little strange comment given that Apple is actually rather good about addressing vulnerabilities that others report to them and give them credit (if they reported it to Apple). Granted Apple's general no comment policy until investigated and patched can be a little annoying if you report an issue and would like to know more but that policy doesn't mean that Apple doesn't take security reports seriously.
Just review all of the attribution Apple has given for the many vulnerabilities they have addressed over the years. For example look at the security release announcements for 2006 (mailing list archive).
As a side note a few MOAB issues are centered on group admin writable locations that can be used to take over the system is you have local access (possibly via a remote exploit). It may take Apple a little while to address this type of issue given the possibility of permission changes causing Apple and 3rd party software (installers most likely) to fail for customers. Luckily a few new security related feature will debut in Mac OS X 10.5 that will make this type of attack harder to pull off (us 3rd party developers should adopt them ASAP).
A brief listing...
CoreGraphics
CVE-ID: CVE-2006-1444
Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Characters entered into a secure text field can be read
by other applications in the same window session
Description: Quartz Event Services provides applications with
the ability to observe and alter low-level user input events.
Normally, applications cannot intercept events when secure event
input is enabled. However, if "Enable access for assistive
devices" is on, Quartz Event Services can be used to intercept
events even when secure event input is enabled. This update
addresses the issue by filtering events when secure event input
is enabled. This issue does not affect systems prior to Mac OS X
v10.4. Credit to Damien Bobillot for reporting this issue
Keychain
CVE-ID: CVE-2006-1446
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
X v10.4.6, Mac OS X Server v10.4.6
Impact: An application may be able to use Keychain items when
the Keychain is locked
Description: When a Keychain is locked, it is not possible for
applications to access the Keychain items it contains without
first requesting that the Keychain be unlocked. However, an
application that has obtained a reference to a Keychain item
prior to the Keychain being locked may, in certain
circumstances, be able to continue using that Keychain item
regardless of whether the Keychain is locked or unlocked. This
update addresses the issue by rejecting requests to use Keychain
items when the Keychain is locked. Credit to Tobias Hahn of HU
Berlin for reporting this issue.
GDB
CVE-ID: CVE-2006-4146
Available for: Mac OS X v10.4 and later
Impact: Opening a maliciously-crafted DWARF binary with GDB may
lead to arbitrary code execution
Description: GDB, the GNU Debugger, is susceptible to multiple
vulnerabilities that may lead to arbitrary code execution when
loading maliciously-crafted DWARF binaries. This update
addresses the issues by performing additional validation while
handling DWARF binaries. Credit to Will Drewry and Tavis Ormandy
of the Google Security Team for reporting this issue.
etc.
many of the bugs are problems that are just outright bizare in thinking of how they'd get executed.
"Here is a malformed HFS+ filesystem that can potentially cause a kernel panic and cause arbitrary code execution. you should all be quaking in your boots."
now just one damn minute... first, you have to get me a DMG, which, apparently, will instantly panic the kernel. Fine. so what? In real life, i'd throw out the dmg file, download it again, it would panic again, and i'd give up.
I'm missing (and it could just be me) how that's in any way exploitable in any meaningful sense.
i think the problem is that MOAB is putting on a show of bugs.. and nothing more. These are bugs that either made it past the guys in Cupertino, or they just didn't see them as that big of a deal, and figured they'd get to them eventually.
Some of these bugs are bad and could cause Macs the world over to get pwn3d and get used to do whatever you can do with an pwn3d Windows box. Fine.
But many of them are just, well.. bugs that causes the system to crash. So the hell what? Without some kind of setup and extreme set of circumstances, the majority of the bugs here crash your system, and then you reboot...
Microsoft's problem has been "be a user on the internet with their software, get pwn3ed." I'm trying to see which of these bugs would give Mac users similar "functionality".
#21 requires a local user to take advantage of this escalation problem - on a machine that they are probably already the only user of
#20 is the same thing... as is #8, and #15.
the bulk of the others are "DoS, cause computer to crash with possibility of arbitrary code execution..." and that assumes the panic condition is consistent.
the only actual scary ones are #19 (not apple's software, and i don't even know if it could actually allow arbitrary code execution), #17, #1 (now fixed), #2 (not apple, and fixed), #4, and #20... so, 6... and 4 are left.
this is just stupid.. my machines are still buck naked on the internet, and i'm still not scared at all.
guns kill people like spoons make Rosie O'Donnell fat.
See their update notice.
Do you think these people have a monopoly on finding bugs?
What people? Security researchers?
Once OS X gets enough market share to be worthwhile to blackhats you're going to see a lot worse.
OS X has enough market share and other features to motivate people to exploit it now, it just has not had enough to motivate people hard enough to get past the difficulties involved. There is also no guarantee that OS X's market share will increase or that it will become more attractive to hackers at a rate that is greater than it becoming more difficult to exploit.
If you think researchers releasing bugs to the public without waiting for the vendor to patch is bad then you really won't like it when someone discovers a vulnerability and uses it to create a worm themselves or sells it to someone else that will. This is only a taste of things to come.
Yeah, creating a zero-day worm is worse than just releasing the bugs in such a way as to make it more likely that someone else will create a worm. What is your point?
Yes, QuickDraw is deprecated. But it's still used by quite a bit of common software. (Such as MS Office, or nearly anything from Adobe.)
-- Tim Buchheim
The people you're complaining about. The people running MoAB.
I described several groups of people looking for security holes in OS X and you ask me if I think the MOAB people have a monopoly on looking for security holes in OS X? I'm going to say, "no" and wonder what you're smoking.
You're contradicting yourself, "they're motivated but they're not motivated enough". Ok.. that doesn't make sense.
Are you motivated to get $1000? Are you motivated enough to pick it up off the sidewalk if you see it? Are you motivated enough to saw off both your legs with a hacksaw if someone will give $1000 to you?
With OS X there is motivation, but since the task is more difficult for a variety of reasons, people with motivation exploit something else that is not as hard.
Any way you want to spin it, OS X doesn't have enough market share to be worth it.
The additional market share that can be exploited on OS X by adding a zero day exploit to a multi-vector worm is greater than adding most windows exploit vectors. In addition, those machines are more likely to contain certain valuable data commodities and a great deal more notoriety and recognition is possible. Assuming that market share tells the entire story is misguided.
OS X may be more secure than insert-other-OS-here but it's still going to have bugs and there will be people there to exploit them.
Again, what is your point and what does this have to do with anything? How does this particular project help that situation?
I'm trying to figure out your point. You're complaining about something uncontrollable as if it matters.
My points are very simple. I'm not convinced that there is less security research into OS X than Linux and Windows. The MOAB project is being run in a very unprofessional and irresponsible way and is obviously not being conducted by researchers who should be trusted. Further, due to their methods, they are doing more harm to overall security than good.
The important thing is how Apple responds to bugs not complaining about how 3rd parties disclose those bugs. It's offtopic and it seems like just another fanboy putting his own personal RDF spin on things.
You think it's off topic to discuss the methods of a third party in a discussion about Apple's response to that third party? Have you ever thought that the way in which bugs are submitted and publicized has a lot to do with how Apple will respond to them? You're really reaching here.
Your ad hominem attacks against MoAB...
Do you even know what ad hominem attacks are? I discussed what the MOAB people were doing that was wrong, not who they are. Please go reread a book on the rhetorical method.
Of course the vulnerabilities exist. That's not an issue. The point being discussed was how Apple has and should respond to disclosure that is designed to make them worse than they would be with a responsible disclosure method. Apple will fix them the same way they always do, they look at the problem, fix, it test, and roll it into the next patch. What other options do they have. Just because the MOAB people intentionally spread them out so this process will leave longer windows of vulnerability, there is not really anything else Apple can do, aside from criticize them for their methods.
Of course they didn't release an update for the Windows version of QT.