Parallels has allowed our company to begin the migration away from Windows by providing support for specific, required applications on the platform of choice:
- Business users receive Macs, and use Parallels (and sometimes Boot Camp) for specific applications.
- Engineers have the choice between either Mac OS X or Ubuntu. They can also run Parallels or VMware for Windows applications, though they rarely do so.
- Artists run Windows, since their singular, primary application is 3d Studio Max -- Windows only 3d software.
Parallels has allowed us to make a long-term platform decision (Mac OS X and Linux) while continuing to support the short-term software requirements (Running Windows software). As more cross-platform software is made available, we will migrate away from the Windows-only solutions.
I wholeheartedly agree with the importance of notifying the vendor -- unfortunately, that's not always done. The point of "0-day" patches is to provide a security option where none currently exists.
Re:Install a fix not from Apple? Fat Chance
on
Month of Apple Fixes
·
· Score: 1
As a reply to my earlier comment -- I've been stewing on this, and decided to err on the side of caution and register a dyld "add image" callback for the QT Streaming Component, using _dyld_register_func_for_add_image(). I'll include the changes with the next bug fix.
Thank you very much for your suggestion.
Re:Install a fix not from Apple? Fat Chance
on
Month of Apple Fixes
·
· Score: 1
Aside from the excess use of address space that you point out, this may unintentionally expose more applications to bugs from frameworks they don't normally link against, such as:
[snip]
I wouldn't be surprised to see these guys take advantage of this in a future exploit.
I'm not too familiar with dyld or APE patching unfortunately so I don't have a solution to offer. Ideally, one can patch only those apps or bundles that link against the QTS framework themselves.
Thank you very much for reviewing the code. I ultimately decided that the additional complexity required to watch for the QTS component being dynamically loaded was more risky than simply forcing it to be loaded. It seems like the simplest way to ensure that the function in question is -always- patched.
The only security downside, as far as I know, is that an existing exploit could potentially execute some of the newly loaded code (See http://en.wikipedia.org/wiki/Return-to-libc_attack). However, after reviewing a number of applications (Safari, Firefox, Adium, Mail.app, VLC) it became apparent that most of the libraries in question were already being loaded anyway. It seems like additional risk is very minute, but I could be missing something important =)
Re:Install a fix not from Apple? Fat Chance
on
Month of Apple Fixes
·
· Score: 5, Informative
I don't care who this guy is... I'm not downloading "fixes" for my iMac from anyone but Apple
Absolutely -- but I'd still strongly suggest disabling the QuickTime RTSP component:
http://isc.sans.org/diary.php?storyid=1993
1. Go to MOAB site, record exploit info
2. Create malicious version of exploit
3. Post to web as a "fix" and tell users to blindly install
You forgot number 4:
4. Have my professional and personal reputation permanently sullied.
I'll pass! =) The code is up for review, but if you don't feel comfortable with my fix, you can disable the primary attack vector by following the directions from the SANS web site.
Re:rushed fixes, and untested at that
on
Month of Apple Fixes
·
· Score: 5, Informative
So some third party is going to try to rush out daily fixes?
If I have time, or if people help me.
How much testing is done on these fixes, none?
I tested thoroughly on Intel and PowerPC Macs. I wouldn't release a fix to the world without being fairly certain that it works correctly. You're welcome to review the code for the first fix -- it's about 10 lines. I'd be happy to explain the various entry points for you, too. We're using these fixes on all our Macs here at Three Rings Design.
Alternatively, you can not use the patch. I won't mind.
And how do you uninstall these quick fix hacks when Apple releases the legit fixes?
You open the Application Enhancer pref pane and hit the "-" (minus) button.
I tracked down the issue and created a runtime fix using Unsanity's Application Enhancer. The overflow is in the QuickTime Streaming component's INet_ParseURLServer() function -- the fix patches that function and pre-validates the URL before passing it off to the real function implementation. If the URL is too long, the patch replaces the Evil URL with a benign, but invalid one, and then calls the original function.
It's worth noting that disabling RTSP, as noted elsewhere, is not sufficient -- there are other vulnerable entry-points to INet_ParseURLServer(), as it is used for generic URL parsing.
On the subject of not sleeping, I read a fantastic book by Nancy Kress entitled "Beggars in Spain".
It's a Hugo and Nebula award winning book, and I'd highly recommend it. If you'll excuse the back cover quote:
In a world where the slightest edge can mean the difference between success and failure, Leisha Camden is beautiful, extraordinarily intelligent... and one of an ever-growing number of human beings who have been genetically modified to never require sleep. Once considered interesting anomalies, now Leisha and the other "Sleepless" are outcasts -- victims of blind hatred, political repression, and shocking mob violence meant to drive them from human society... and, ultimately, from Earth itself. But Leisha Camden has chosen to remain behind in a world that envies and fears her "gift" -- a world marked for destruction in a devastating conspiracy of freedom... and revenge.
Didn't get what? That Apple wasn't interested in community contributions/support for Darwin? No, I think we did "get it", and thus this announcement. What bothers me about your post is the disdain you have for the effort -- the notion that even trying deserves derision.
Apple advertised -- and still advertises -- Darwin as the open source core of Mac OS X. OpenDarwin was based on the notion of building a community around what *could* be contributed to -- Darwin. Perhaps this was ultimately folly, but your ridicule is unwarranted. An independently buildable standalone Darwin would have allowed us to work directly with and contribute changes back to Darwin, independent of Mac OS X and its secrecy, release schedules, etc.
Instead, Apple moved to make Darwin source "not live", now doing a source drop with every release. While their perogative, it makes it incredibly difficult to contribute any fixes or changes back to Mac OS X -- by the time one does, the code you're working with is far out of date, and chances are good your changes won't be accepted.
As someone who started with Mac OS X by tracking the live Darwin sources, submitting changes, and getting code accepted, I have been disappointed to see this model for community involvement disappear. You may not care at all, but I see absolutely no reason to mock those that do.
You're kidding, right? Did you not even read the article? Here, let me quote for you:
"OpenDarwin was meant to be a development community and a proving ground for fixes and features for Mac OS X and Darwin, which could be picked up by Apple for inclusion in the canonical sources."
OpenDarwin was started with Apple's assistance, by Apple engineers, for the above purpose.
Microsoft's campaign against industry standards has sunk to new lows. Stephen Kurkjian's Nov 26th muck-raking article on Massachusetts CIO Peter Quinn paints Quinn's personal dedication and industry outreach as potential scandal and corruption. Is a $543 trip to a conference on digital governance by the Commonwealth's CIO really worthy of a front-page article?
Kurkjian writes "a galaxy of computer companies are listed as sponsors of many of the conferences", but then notes that Quinn "did not list any of them on his authorization forms or the business relationships any of them have with the Commonwealth." It was the conference organizers, not sponsors, who paid for Quinn's trips. Should Quinn also be required to list every conference's advertisers and their business relationships with the Commonwealth? That would certainly be a galaxy of paperwork!
Quinn is doing his job. Moving to the OpenDocument format is the equivalent of trying to convert the Commonwealth of Massachusetts to standardized printer paper. He should be praised for his dedication to the Commonwealth in the face of an 800lb industry gorilla, not dragged through the mud for attending industry conferences.
Here at Three Rings, we're migrating all developer desktops to Ubuntu. It works, it's free, and users can maintain it themselves.
Ubuntu has mixed Debian's solid packaging tools with a healthy dose of pragmatism and arrived at a distribution that Just Works. As a desktop operating system, I couldn't be happier with how Ubuntu is working out.
Disabling certificate validation is silly. There is no reason to do it.
Running your own, small-scale Certificate Authority takes about 10 minutes of your time and is vastly more secure than bypassing certificate validation. There's no need to pay anyone, you simply ensure that your clients have your CA certificate installed.
Slashdot Mirror
Parallels has allowed our company to begin the migration away from Windows by providing support for specific, required applications on the platform of choice:
- Business users receive Macs, and use Parallels (and sometimes Boot Camp) for specific applications.
- Engineers have the choice between either Mac OS X or Ubuntu. They can also run Parallels or VMware for Windows applications, though they rarely do so.
- Artists run Windows, since their singular, primary application is 3d Studio Max -- Windows only 3d software.
Parallels has allowed us to make a long-term platform decision (Mac OS X and Linux) while continuing to support the short-term software requirements (Running Windows software). As more cross-platform software is made available, we will migrate away from the Windows-only solutions.
I wholeheartedly agree with the importance of notifying the vendor -- unfortunately, that's not always done. The point of "0-day" patches is to provide a security option where none currently exists.
As a reply to my earlier comment -- I've been stewing on this, and decided to err on the side of caution and register a dyld "add image" callback for the QT Streaming Component, using _dyld_register_func_for_add_image(). I'll include the changes with the next bug fix.
Thank you very much for your suggestion.
Thank you very much for reviewing the code. I ultimately decided that the additional complexity required to watch for the QTS component being dynamically loaded was more risky than simply forcing it to be loaded. It seems like the simplest way to ensure that the function in question is -always- patched.
The only security downside, as far as I know, is that an existing exploit could potentially execute some of the newly loaded code (See http://en.wikipedia.org/wiki/Return-to-libc_attack ). However, after reviewing a number of applications (Safari, Firefox, Adium, Mail.app, VLC) it became apparent that most of the libraries in question were already being loaded anyway. It seems like additional risk is very minute, but I could be missing something important =)
Absolutely -- but I'd still strongly suggest disabling the QuickTime RTSP component:
http://isc.sans.org/diary.php?storyid=1993
You forgot number 4:
4. Have my professional and personal reputation permanently sullied.
I'll pass! =) The code is up for review, but if you don't feel comfortable with my fix, you can disable the primary attack vector by following the directions from the SANS web site.
If I have time, or if people help me.
I tested thoroughly on Intel and PowerPC Macs. I wouldn't release a fix to the world without being fairly certain that it works correctly. You're welcome to review the code for the first fix -- it's about 10 lines. I'd be happy to explain the various entry points for you, too. We're using these fixes on all our Macs here at Three Rings Design.
Alternatively, you can not use the patch. I won't mind.
You open the Application Enhancer pref pane and hit the "-" (minus) button.
I tracked down the issue and created a runtime fix using Unsanity's Application Enhancer. The overflow is in the QuickTime Streaming component's INet_ParseURLServer() function -- the fix patches that function and pre-validates the URL before passing it off to the real function implementation. If the URL is too long, the patch replaces the Evil URL with a benign, but invalid one, and then calls the original function.
It's worth noting that disabling RTSP, as noted elsewhere, is not sufficient -- there are other vulnerable entry-points to INet_ParseURLServer(), as it is used for generic URL parsing.
More information is available here:
http://www.unsanity.org/archives/mac_os_x/the_mont h_of_trolly_trolls_and.php
and the patch (with source!) can be downloaded here:
http://landonf.bikemonkey.org/code/macosx
You can test the fix (make sure to log out and log back in after installing APE!) in Safari (or Firefox) by visiting this URL:
http://landonf.bikemonkey.org/static/rtsp_crash.ht ml
If you're using Safari, QuickTime should display a "bad address" error once the patch is installed. If the patch isn't installed, Safari will crash.
Didn't get what? That Apple wasn't interested in community contributions/support for Darwin?
No, I think we did "get it", and thus this announcement. What bothers me about your post is the disdain you have for the effort -- the notion that even trying deserves derision.
Apple advertised -- and still advertises -- Darwin as the open source core of Mac OS X. OpenDarwin was based on the notion of building a community around what *could* be contributed to -- Darwin. Perhaps this was ultimately folly, but your ridicule is unwarranted. An independently buildable standalone Darwin would have allowed us to work directly with and contribute changes back to Darwin, independent of Mac OS X and its secrecy, release schedules, etc.
Instead, Apple moved to make Darwin source "not live", now doing a source drop with every release. While their perogative, it makes it incredibly difficult to contribute any fixes or changes back to Mac OS X -- by the time one does, the code you're working with is far out of date, and chances are good your changes won't be accepted.
As someone who started with Mac OS X by tracking the live Darwin sources, submitting changes, and getting code accepted, I have been disappointed to see this model for community involvement disappear. You may not care at all, but I see absolutely no reason to mock those that do.
You're kidding, right? Did you not even read the article? Here, let me quote for you:
"OpenDarwin was meant to be a development community and a proving ground for fixes and features for Mac OS X and Darwin, which could be picked up by Apple for inclusion in the canonical sources."
OpenDarwin was started with Apple's assistance, by Apple engineers, for the above purpose.
I sent the following to the Boston Globe Editor:
Microsoft's campaign against industry standards has sunk to new lows. Stephen Kurkjian's Nov 26th muck-raking article on Massachusetts CIO Peter Quinn paints Quinn's personal dedication and industry outreach as potential scandal and corruption. Is a $543 trip to a conference on digital governance by the Commonwealth's CIO really worthy of a front-page article?
Kurkjian writes "a galaxy of computer companies are listed as sponsors of many of the conferences", but then notes that Quinn "did not list any of them on his authorization forms or the business relationships any of them have with the Commonwealth." It was the conference organizers, not sponsors, who paid for Quinn's trips. Should Quinn also be required to list every conference's advertisers and their business relationships with the Commonwealth? That would certainly be a galaxy of paperwork!
Quinn is doing his job. Moving to the OpenDocument format is the equivalent of trying to convert the Commonwealth of Massachusetts to standardized printer paper. He should be praised for his dedication to the Commonwealth in the face of an 800lb industry gorilla, not dragged through the mud for attending industry conferences.
Here at Three Rings, we're migrating all developer desktops to Ubuntu. It works, it's free, and users can maintain it themselves.
Ubuntu has mixed Debian's solid packaging tools with a healthy dose of pragmatism and arrived at a distribution that Just Works. As a desktop operating system, I couldn't be happier with how Ubuntu is working out.
Disabling certificate validation is silly. There is no reason to do it.
Running your own, small-scale Certificate Authority takes about 10 minutes of your time and is vastly more secure than bypassing certificate validation. There's no need to pay anyone, you simply ensure that your clients have your CA certificate installed.
TinyCA is very easy to use.