ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"
This isn't a problem because it has been proven that only Windows can get viruses. Therefore, because it's not possible for viruses to spread with MacOS, security threats are irrelevant.
I've seen several instances where Apple was aware of a bug but waited months to fix it. Heck, the Quicktime bug that permitted the MySpace virus still runs free according to the last security thread at AppleInsider.
Yes it has. The first one written specifically for OS X came in the form of a trojan. I've also seen Mac classic viruses work fine on PPC OS X systems.
That was not a virus - that was a trojan (pretty huge difference if you know what the differences are!) And read through the final analysis of the work [ambrosiasw.com] the user actually had to do to contract it.
Also, we are talking about OS X viruses not "legacy" viruses that in practice no-one will be catching since almost no-one uses Classic anymore. It's been years since OS X even shipped with OS 9.
Not really. Have you forgotten things like auto-installing widgets?
Which they fixed pretty quickly, as noted....
Apple being behind other BSD systems in patching old exploits? Apple being behind in patching SSH, Apache?
Which don't matter as much since they come turned off by default (and still didn't see any exploits for OS X in the wild)...
Uh... You need to know stuff to write a windows virus too.
Not really, there is a lot more template material online on how to do so, and a number of Windows viruses in the past have been simple variants of existing worms and viruses.
Not according to Norton, F-secure and McAfee.
You're wrong. Care to provide any links as to why you think you're right?
Uh, again no. Give me some decent examples at least.
IE. Forgot about the elephant in the room again?
I don't know... Most of the security techniques Apple uses were developed back in the early 90s...
Oh, they were developed way before that - which is why it is so tragic Microsoft could not even be bothered to do that much until now.
However, the OS in my opinion is far from being a 21st century mind set in general. I mean, look at some of the stupid stuff we have todo. Where we have to open a console and type defaults write com.apple.finder AppleShowAllFiles TRUE
True there is no UI to modify some defaults like that. But anyone who wants to see ALL files in Finder is probably also going to be pretty familiar with the shell and not really mind editing XML files. Frankly I have never enabled Finder in that manner as if I want to be messing with files Finder cannot see by default, I greatly prefer to be using Terminal anyway.
What makes it an advanced OS is that you have a layer that is easily configurable by most users, and then a more advanced layer that is easily adjustable through a few means. The situation is still better than what Windows offered, where you had to basically write TweakUI to get at some settings that could not simply be activated in a text file at least OS X comes with means to modify every setting in the system, even if some are not behind GUI's.
Heh, or we could the simple things that have always worked well... Exploits against the user. Just send them a e-mail with a.pkg file that contains a rootkit (there are feasible methods to-do this on OS X), said hidden process scans the address books of users on Mac (Useful, since many Mac users actually do use the mail client on the system), then starts sending copies of that.pkg to those people....My point is, coming up with methods to make virii on Mac isn't that hard.
Yes that would work - but Mail would warn the user about running it, and the default security level most people run at would prevent it from getting as far into the system as most rootkits are. That is the reason OS X is more security, because of the very old concept of defense in depth applied across the OS, not because any one layer is invulnerable to attack!
Writing viri for any platform is dead simple if you are going to rely on the user to propagate it. But Windows has a million examples of stuff that needs no user even clicking on OK to run off and do its thing. That is another difference. That and of course, the fact that today there are no OS X viruses in the wild. Not just a few, but zero - despite many people such as yourself who think it would be easy to write one and would like to see one just to show up Mac users.
"The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial."
Is Apple as bad as MS when it comes to fixing security flaws? Is there really a need to show how "insecure" OS X is? Or is this more a "your going to start listening to security experts when they have something to say or else..." type situation. I did read the FAQ but they really don't show any evidence to prove why this is a good thing, how this will improve OS X security, or how Apple has been unwilling to fix flaws in the past.
They could be 1000% right, but on the surface I just don't see anything which either confirms or denies their theory. It would be nice to at least read some sort of history of how Apple has interacted with Security researchers in the past.
"The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial."
They could have thought of a better excuse than this. Giving the vendor n days before disclosure avoids the 'insane amounts of time' scenario, so the argument doesn't hold water. Conscientious greyhats go this route. Maybe we'll call these guys charcoal-greyhats.
So we're left to conclude that they just want attention/fame/notoriety
Apple has had poor relations with security researchers for years.
Actually, Apple has had pretty good interactions with security researchers in general, in my experience. Being a huge PR magnet, however, they also manage to attract showboaters trying to capitalize on the popularity they can get by behaving in a less than reasonable manner. The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state, but Apple responded to it even though they were never contacted with the details of the supposed exploit and did fix several issues they found during a review of the wireless drivers they ship. Apple has done a pretty reasonable job of patching easily exploitable/wormable problems very quickly and they don't seem to be ignoring problems reported to them. One of my coworkers found a local exploit (low risk) and reported it through Apple's Website. The fix was in the next security update and even credited him. It seems like pretty good relations with the security researcher community to me.
As for the month of Apple bugs. It is more of the same. Sure these guys could report Apple bugs to the normal channels and they'd be fixed fairly quickly and overall security would benefit. That, however, won't make the news. So instead of reporting bugs when found, these guys are intentionally delaying releasing that info to both Apple and the public. Apple isn't pressured to quickly fix bugs if they don't even now what those bugs are. The public isn't served by bugs being fixed more quickly. Users aren't served by bugs being released to the public for possible mass exploitation without Apple ever being given a chance to patch their machines. The end result is decreasing the overall security or computing. It serves no one except the researchers who are showboating and being irresponsible.
The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state...
The wireless exploit did [cert.org] apply to Airport cards; but you are correct that researchers mishandled the disclosure - which, as I said, resulted in a lot of hard feelings on both sides.
It is my understanding that the vulnerability you reference as well as the other two they fixed were both the result of an internal audit of their wireless drivers and not the result of the exploit that was publicized. The issue is more than a little muddy, however, and I'd be grateful if you could provide a reference to show either way.
Yeah but you see, that's against entirely different software and hardware than what secureworks supposedly demonstrated.
I really don't see how you can paint apple in to a bad place with this, secureworks created a lot of hype while disclosing nothing to anyone, Apple took the initiative and at their own expense researched the issue and fixed potential problems they found, none of which has a known exploit. None of this validates what secureworks did, it is possible it's the bug they supposedly found but it's also possible they faked the whole thing.
I'm not an Apple user. And I'm not attacking you. I am, however, affiliated with the security business and it's bad for everybody when half truths and lies are propagated. If you have an example of Apple being difficult to work with then please bring it up. The example you did bring up shows security folks being difficult work work with not just apple but everybody. I really don't see what you were trying to demonstrate or show with that CERT bug link, that Apple found and fixed a bug in their software and then reported it like a responsible company? Or were you trying to suggest that they stole credit from "security researchers" that still haven't disclosed anything, including any documentation of a threat from Apple?
And I think you're mistaken if you believe that marketshare directly reflects the security of a platform. The number of users has little to do with the number of exploitable bugs in it or architectural flaws. More existing bugs might be found in more popular platforms but that doesn't prove that more exist that just aren't found in other platforms. Windows is less secure because it simply wasn't a design factor when most of it was built, that and MS went out of their way to do things differently than how existing systems like UNIX did.
can see what its like to be noticed. when Microsoft gets treated to the same very few care, in fact some seem to relish in it.
Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?
I look at it this way, Apple still is well off. They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with. When they do penetrate the "Average user" market and get into double digits of popularit
...when Microsoft gets treated to the same very few care, in fact some seem to relish in it.
Microsoft is not performing due diligence and is quite frankly not giving customers what they want. They routinely sit on publicly announced bugs for long periods of time and according to people I know who have worked there less than half of the security holes they find internally are prioritized high enough to be fixed. No one is happy worms are destroying computers, but some people are happy to see MS getting bad publicity because of their actions.
Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?
Well, I believe the last serious security hole reported to them was fixed in 10 days, which is pretty good turn around for development and QA. OS's can be evaluated based upon the nature of the vulnerability, risk, and duration of exposure. For something like this, if it is easily reproducible, under normal circumstances, a couple of weeks seems reasonable. If they are constantly getting new vulnerabilities once a day, it may be longer since they might need to prioritize based upon those. Think of this from the developer's standpoint. If these guys are trying to make OS X less secure, they picked a good way. Thanks jackasses.
They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with.
What do you mean? Apple has lots of novice users including the very young and very old attracted by their reputation for ease of use. How many people on this forum do you suppose convinced their grandparents or parents to get a mac?
When they do penetrate the "Average user" market and get into double digits of popularity then they attract attention they don't want.
There is plenty of motivation for hackers to attack OS X right now. The reason it does not happen is not the lack of motivation, but the difficulty/convenience of so doing. Smaller market share makes propagation more complex. Increased scrutiny makes exposures shorter. Many worm authors have a very windows-centric knowledge base. All of these factors may mean as OS X's market share goes up, worms become more common, but to attribute this to motivation is a mistake.
Do not under estimate the creativity and capability of the hackers out there.
I know people on both ends of the security spectrum. I'm not too worried about OS X becoming bug ridden as market share increases. In fact, I think both Windows and OS X security will increase as OS X's market share increases. The problem of security is one of motivation, but not of the motivation of malware authors, but of OS vendors. Apple needs to keep customers happy to maintain market share. Thus, if malware becomes a problem for their users they will fix it or lose money. Right now Microsoft has no such motivation, so their attention to security has been spotty at best. They don't significantly lose money when users suffer from security problems. Increasing OS X's market share might motivate them to improve security. Anyone who argues that MS or Apple is doing all they can has not been paying attention.
So why the hell is Slashdot participating with these dorks and posting their announcements? "Don't feed the trolls."
This is different from trolling in that it is a real problem. The bugs are real, the disclosure is real and we have to manage the situation. If terrorists did not get publicity for their acts, they would not be spreading terror and would thus be ineffective. That doesn't mean the media should not let you know the airport has been taken over. It is a real problem. These people are intentiona
"Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure"
Huh? Apple's users are to blame for Apple's work with security researchers?
Imagine that meeting - "Steve, I'd love to make sure we use every avenue available to us to secure the platform, but heck, our users are just thumbing their noses at the rest of the OS world, and gosh, but it's fun to see - I say let's just live with the holes." "Sounds good to me, Phil - thanks for the insight. Now, about that MacBoy Advance SP that Scooter's been working on..."
Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure; but part is also the researchers themselves.
So please explain to all of us why we have no viruses on the Mac yet, even with some tens of millions of fairly homogoneous computers around (same OS, same patches, much of the same hardware) in a world where botnets of even just a hundred thousand nodes bring in real money. There is financial incentive enough for the macs to hav
Where the hell did I say Windows is more secure than OS X?
You were responding in a thread discussing the relative security of Windows and OS X and whether or not market share was the only factor. You then made the statement, "Sonny, I write device drivers for a living, on Linux and on Mac. I assure you, the Mac isn't more secure." Since that was the first mention of Linux, I, and probably most other readers assumed the first sentence was a statement of your credentials while latter comment was regarding
by Anonymous Coward
on Tuesday January 02 2007, @09:12AM (#17431120)
I just tried this on my MacBook Pro using the provided QTL files and ruby scripts, but none of them seem to have the claimed effect. Anybody else already tried this?
I just tried this on my MacBook Pro using the provided QTL files and ruby scripts, but none of them seem to have the claimed effect. Anybody else already tried this?
I could not. And only one person I know could. Other people had to heavily modify the script and run QT Player in gdb along with some other voodoo to get it to exploit properly. Doesn't seem like this will cause much harm.
Either way, a third party developer already fixed this [unsanity.org] crasher.
OS X is unimaginably complex. Even the 1500+ page "OS X internals" tome just scratches the surface of most things. (Note that I own and enjoy using a MacBook, so I'm not blindly Apple-bashing.)
The complexity is the first problem. The second is that almost all of the code was written in an insecure manner. No one was doing code-level security reviews on QuickTime and Quartz and all the other bits of OS X. And even if you did, squashing all potential overflow/overwrite bugs in a language like C is essentia
It's not just C though, Apple generally uses Objective-C, which is an object-oriented extention of C. If the programmers did the responsible thing and called libraries for their objects, then it shouldn't be a problem, fix your libraries. They shouldn't be calling for memory using C if they can avoid it. I don't think it's anywhere nearly so simple though.
Not to minimise the problems of writing large complex software systems, but complexity is the second problem... insecure design is the first. I'm more concerned with the fact that Safari uses the same URI handler and helper database as Finder (LaunchServices) and that Apple is more interested in giving people a false sense of security with pop-up dialogs than changing the API slightly to make it inherently secure.
* Split LaunchServices up into "web oriented" applications that are indended for use with untrus
If they were truly interested in "improving MacOS X" or "improving practices on the management side of Apple" then they would release these bugs to Apple first. Don't wait an insane amount of time, but give them a nice reasonable amount of time to fix the bugs. Heck, even tell them you plan on releasing them on thus and so date and start the month *then*, giving props to Apple for those they have fixed.
Is it just me, or is this event well timed? A month of Apple bugs/exploits on the lead up to Windows Vista's commercial release on January 30th (the most "secure" version of Windows). Sounds sinister to me.
This issue has been successfully exploited in QuickTime(TM) Version 7.1.3, Player Version 7.1.3. Previous versions should be vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected.
These people are doing Gray Hat hacking. Where like the White Hats their goal is not to do damage to others people computers, but like the black hats feel that people need to feel a little pain before anything can get done and just reporting the problems to the company is not effective enough to get it done. It falls in the range of legal hacking, But it may not be the most moral way of doing it though. It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked. Or just locking the door yourself.
It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked. Or just locking the door yourself.
Not really.
It's more like finding a bank vault open and shouting out, "Hey, everyone, this bank has left its vault open with your money in it."
A poor analogy, methinks. It's more like discovering that an apartment building master key has gotten into criminal hands. First you go to the building manager and ask him to change the locks. If he refuses to do so promptly, you go to the residents and inform them. The problem comes when the master key gets out a lot and the building manager consistently drags his heals on changing the locks each time it does. At a certain point, you realize that the only way to really get his attention is to go directly to the residents.
Not exactly first in this case they are not going to the manager first they are going to the public about it first.
Next a Bad guy may not have the key, but once he knows the key is missing he will start looking around for the guy who found the key and take it away from him. It is more like the key is hidden under the welcome mat. And the guy found it one day then blabbed about it to everyone even outside the apartment.
As a land lord myself I know, some jobs can't be done right away. Some things espectially changing all the locks takes time including finding the residence and giving them the new key before they leave. so you can change their locks. Also the time to fix all the locks, dealing with people who think there lock should be replaced first, others who love their lock so much they don't want to change it. Some people creek in fear when the land lord knocks figuring they will evict them with a blink of an eye. (even though it is expensive to leave a room vacent)
This analogy sucks because a guy leaving his door unlocked doesn't normally affect others and there is no need to publicize it. Gray Hat hacking is like discreetly telling the guy that his car door is open, waiting for a while to give him a chance to lock his door, then yelling "Hey This Car Door is Open and all the valuables are inside". The most hotly debated item is how long the waiting part of "waiting for a while to give him a chance" should be because there is no clear consensus on how long it should
This particular option isn't really available in this case, is it? They don't control the OSX source code, Apple does.
It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked.
Bit of a problem with this analogy too. The "door" in question is controlled/lockable only by the person who owns the house (
All in all, this "Month of Bugs" thing is good approach to proactive OS support behavior by a user community. The only problem is, that such an approach requires a fair amount of Good Will towards the product from those users. This effectively rules out similar plans working for Microsoft Windows. There really is a long-term benefit from good behavior on the part of corporations: your customers will actually go out of their way to help you.
Unlike macobserver, who seems to think things like security holes
Black hats are interested in profiting from their knowledge of vulnerabilities. These guys aren't.
I disagree. Black hats are interested in illegally profiting from vulnerabilities. White hats are interested in legally and ethically benefiting from vulnerabilities. Grey hats are interested in benefitting from security exploits in ways that are unethical and questionably legal.
They want them to be fixed and know that even the deified Apple won't allocate resources to fixing problems that have a low profile.
No, these guys want publicity for themselves. Apple has been quite responsive to security researchers and most that I know think Apple has been doing a pretty reasonable job. If you're going to argue that bugs need to be publicly released because Apple won't fix them otherwise, you need to support that assertion. Even then, what is your justification for not releasing it immediately, but doling them out more slowly? That doesn't benefit anyone but these researchers for whom it provides prolonged media exposure they hope to gain from financially.
So they're out to raise the profile of each problem.
Raising the profile of a problem makes sense, if it is being exploited in the wild or if you've contacted the vendor and they're dragging their heels while people are at risk. Otherwise, it is simply harmful to everyone involved.
Much better than using the vulnerabilities to build Mac-based botnets...
Ahh, the classic "we're not as bad as China" argument. Doing something unethical isn't made any less unethical by the fact that someone else is doing something even more unethical. These guys obviously are interested in one thing, getting themselves in the news to make themselves money.
Explaining that Quicktime is actually a third party application that is bundled with the OS not the OS itself.
Actually that's (partially) true. It's not third party since it's developed by Apple, but the fact that it also affects Windows shows that it's not an OS X bug, but a Quicktime bug.
But as another comment has pointed out, this is a month of Apple bugs, not OS X bugs.
Well it is a stab at the Linux user comunity on their views about security. If there is a problem it is rairly a Linux (Kernel) problem but with some other application that is running Apache, Sendmail, su, sudo... Stating these are 3rd party tools not part of Linux per say. Yes I mistakes a Month of Apple bugs with a month OS X Bugs my mistake.
IE is a third party application taht is bundled with the OS and not the OS itself.
I guess that depends on your defenition of third party. To me, neither IE nor Quicktime are not third party applications as they are made by the same company. The differentiation that you may be looking for is whether these are core system applications or optional (secondary) applications. While both bundled are with the OS, MS has constantly said that IE is a part of the OS and cannot be removed. Quicktime and Safari ca
..... Given Apple's tendency to sue just about anything that moves so that the can preserve the "reality distortion field," are these researchers not afraid of being sued out of existence?
The reality distortion field you cite is warping your perspective. Apple is actually not particularly litigious compared to most companies their size. To my knowledge they've never sued anyone for publicizing bugs. They don't even normally go after publications that intentionally publicize their trade secrets unless they admit having obtained those secrets from an insider Apple does not know the identity of, and in the one case of that, they sued only for the name of the informant, not for any damages against the publication. The thing is, the litigation they do enegage in, is often highly publicized, making it seem as though they are very litigious.
So to answer your question, if they have a reasonable grasp on reality, no they aren't worried about being sued.
It's not calling curl or the shell from memory, it appears (from the description) to be a return-to-libc-attack. I am not an expert on this particular thing, but a return-to-libc attack is where you use a buffer overflow to overwrite the return address of the stack frame. Under normal circumstances, the rtsp URL parser would return to his calling function, but if an overflow overwrites the return address, you can basically rewrite the stack's memory of who called the URL parser in the first place. So, in
removed, but... (Score:3, Informative)
Re: (Score:2)
I have tried to always give credit to those who deserve it.
No problem! (Score:4, Funny)
Please, try the veal.
Re: (Score:2)
Bad Idea Jeans [jt.org]
-Eric
Re:No problem! (Score:4, Informative)
Parent
Re: (Score:3, Funny)
Computer security was much better in the nineteenth Century, when computers didn't exist.
Re:No problem! (Score:5, Insightful)
That was not a virus - that was a trojan (pretty huge difference if you know what the differences are!) And read through the final analysis of the work [ambrosiasw.com] the user actually had to do to contract it.
Also, we are talking about OS X viruses not "legacy" viruses that in practice no-one will be catching since almost no-one uses Classic anymore. It's been years since OS X even shipped with OS 9.
Not really. Have you forgotten things like auto-installing widgets?
Which they fixed pretty quickly, as noted....
Apple being behind other BSD systems in patching old exploits?
Apple being behind in patching SSH, Apache?
Which don't matter as much since they come turned off by default (and still didn't see any exploits for OS X in the wild)...
Uh... You need to know stuff to write a windows virus too.
Not really, there is a lot more template material online on how to do so, and a number of Windows viruses in the past have been simple variants of existing worms and viruses.
Not according to Norton, F-secure and McAfee.
You're wrong. Care to provide any links as to why you think you're right?
Uh, again no. Give me some decent examples at least.
IE. Forgot about the elephant in the room again?
I don't know... Most of the security techniques Apple uses were developed back in the early 90s...
Oh, they were developed way before that - which is why it is so tragic Microsoft could not even be bothered to do that much until now.
However, the OS in my opinion is far from being a 21st century mind set in general. I mean, look at some of the stupid stuff we have todo.
Where we have to open a console and type
defaults write com.apple.finder AppleShowAllFiles TRUE
True there is no UI to modify some defaults like that. But anyone who wants to see ALL files in Finder is probably also going to be pretty familiar with the shell and not really mind editing XML files. Frankly I have never enabled Finder in that manner as if I want to be messing with files Finder cannot see by default, I greatly prefer to be using Terminal anyway.
What makes it an advanced OS is that you have a layer that is easily configurable by most users, and then a more advanced layer that is easily adjustable through a few means. The situation is still better than what Windows offered, where you had to basically write TweakUI to get at some settings that could not simply be activated in a text file at least OS X comes with means to modify every setting in the system, even if some are not behind GUI's.
Heh, or we could the simple things that have always worked well... Exploits against the user. Just send them a e-mail with a
Yes that would work - but Mail would warn the user about running it, and the default security level most people run at would prevent it from getting as far into the system as most rootkits are. That is the reason OS X is more security, because of the very old concept of defense in depth applied across the OS, not because any one layer is invulnerable to attack!
Writing viri for any platform is dead simple if you are going to rely on the user to propagate it. But Windows has a million examples of stuff that needs no user even clicking on OK to run off and do its thing. That is another difference. That and of course, the fact that today there are no OS X viruses in the wild. Not just a few, but zero - despite many people such as yourself who think it would be easy to write one and would like to see one just to show up Mac users.
Parent
Is this true? (Score:4, Insightful)
Is Apple as bad as MS when it comes to fixing security flaws? Is there really a need to show how "insecure" OS X is? Or is this more a "your going to start listening to security experts when they have something to say or else..." type situation. I did read the FAQ but they really don't show any evidence to prove why this is a good thing, how this will improve OS X security, or how Apple has been unwilling to fix flaws in the past.
They could be 1000% right, but on the surface I just don't see anything which either confirms or denies their theory. It would be nice to at least read some sort of history of how Apple has interacted with Security researchers in the past.
Re: (Score:2)
They could have thought of a better excuse than this. Giving the vendor n days before disclosure avoids the 'insane amounts of time' scenario, so the argument doesn't hold water. Conscientious greyhats go this route. Maybe we'll call these guys charcoal-greyhats.
So we're left to conclude that they just want attention/fame/notoriety
Re:Apple Vs. Security Researchers (Score:5, Insightful)
Apple has had poor relations with security researchers for years.
Actually, Apple has had pretty good interactions with security researchers in general, in my experience. Being a huge PR magnet, however, they also manage to attract showboaters trying to capitalize on the popularity they can get by behaving in a less than reasonable manner. The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state, but Apple responded to it even though they were never contacted with the details of the supposed exploit and did fix several issues they found during a review of the wireless drivers they ship. Apple has done a pretty reasonable job of patching easily exploitable/wormable problems very quickly and they don't seem to be ignoring problems reported to them. One of my coworkers found a local exploit (low risk) and reported it through Apple's Website. The fix was in the next security update and even credited him. It seems like pretty good relations with the security researcher community to me.
As for the month of Apple bugs. It is more of the same. Sure these guys could report Apple bugs to the normal channels and they'd be fixed fairly quickly and overall security would benefit. That, however, won't make the news. So instead of reporting bugs when found, these guys are intentionally delaying releasing that info to both Apple and the public. Apple isn't pressured to quickly fix bugs if they don't even now what those bugs are. The public isn't served by bugs being fixed more quickly. Users aren't served by bugs being released to the public for possible mass exploitation without Apple ever being given a chance to patch their machines. The end result is decreasing the overall security or computing. It serves no one except the researchers who are showboating and being irresponsible.
Parent
I'm afraid you are incorrect, sir. (Score:2, Informative)
The wireless exploit did [cert.org] apply to Airport cards; but you are correct that researchers mishandled the disclosure - which, as I said, resulted in a lot of hard feelings on both sides.
Re:I'm afraid you are incorrect, sir. (Score:5, Informative)
The wireless exploit did apply to Airport cards;
It is my understanding that the vulnerability you reference as well as the other two they fixed were both the result of an internal audit of their wireless drivers and not the result of the exploit that was publicized. The issue is more than a little muddy, however, and I'd be grateful if you could provide a reference to show either way.
Parent
Re:I'm afraid you are incorrect, sir. (Score:5, Insightful)
I really don't see how you can paint apple in to a bad place with this, secureworks created a lot of hype while disclosing nothing to anyone, Apple took the initiative and at their own expense researched the issue and fixed potential problems they found, none of which has a known exploit. None of this validates what secureworks did, it is possible it's the bug they supposedly found but it's also possible they faked the whole thing.
Parent
Re:Do you feel better now? (Score:4, Insightful)
And I think you're mistaken if you believe that marketshare directly reflects the security of a platform. The number of users has little to do with the number of exploitable bugs in it or architectural flaws. More existing bugs might be found in more popular platforms but that doesn't prove that more exist that just aren't found in other platforms. Windows is less secure because it simply wasn't a design factor when most of it was built, that and MS went out of their way to do things differently than how existing systems like UNIX did.
Parent
and now Apple (Score:2)
when Microsoft gets treated to the same very few care, in fact some seem to relish in it.
Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?
I look at it this way, Apple still is well off. They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with. When they do penetrate the "Average user" market and get into double digits of popularit
Re:and now Apple (Score:5, Insightful)
Microsoft is not performing due diligence and is quite frankly not giving customers what they want. They routinely sit on publicly announced bugs for long periods of time and according to people I know who have worked there less than half of the security holes they find internally are prioritized high enough to be fixed. No one is happy worms are destroying computers, but some people are happy to see MS getting bad publicity because of their actions.
Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?
Well, I believe the last serious security hole reported to them was fixed in 10 days, which is pretty good turn around for development and QA. OS's can be evaluated based upon the nature of the vulnerability, risk, and duration of exposure. For something like this, if it is easily reproducible, under normal circumstances, a couple of weeks seems reasonable. If they are constantly getting new vulnerabilities once a day, it may be longer since they might need to prioritize based upon those. Think of this from the developer's standpoint. If these guys are trying to make OS X less secure, they picked a good way. Thanks jackasses.
They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with.
What do you mean? Apple has lots of novice users including the very young and very old attracted by their reputation for ease of use. How many people on this forum do you suppose convinced their grandparents or parents to get a mac?
When they do penetrate the "Average user" market and get into double digits of popularity then they attract attention they don't want.
There is plenty of motivation for hackers to attack OS X right now. The reason it does not happen is not the lack of motivation, but the difficulty/convenience of so doing. Smaller market share makes propagation more complex. Increased scrutiny makes exposures shorter. Many worm authors have a very windows-centric knowledge base. All of these factors may mean as OS X's market share goes up, worms become more common, but to attribute this to motivation is a mistake.
Do not under estimate the creativity and capability of the hackers out there.
I know people on both ends of the security spectrum. I'm not too worried about OS X becoming bug ridden as market share increases. In fact, I think both Windows and OS X security will increase as OS X's market share increases. The problem of security is one of motivation, but not of the motivation of malware authors, but of OS vendors. Apple needs to keep customers happy to maintain market share. Thus, if malware becomes a problem for their users they will fix it or lose money. Right now Microsoft has no such motivation, so their attention to security has been spotty at best. They don't significantly lose money when users suffer from security problems. Increasing OS X's market share might motivate them to improve security. Anyone who argues that MS or Apple is doing all they can has not been paying attention.
Parent
Re: (Score:2)
So why the hell is Slashdot participating with these dorks and posting their announcements? "Don't feed the trolls."
This is different from trolling in that it is a real problem. The bugs are real, the disclosure is real and we have to manage the situation. If terrorists did not get publicity for their acts, they would not be spreading terror and would thus be ineffective. That doesn't mean the media should not let you know the airport has been taken over. It is a real problem. These people are intentiona
Explain the logic... (Score:4, Interesting)
Huh? Apple's users are to blame for Apple's work with security researchers?
Imagine that meeting - "Steve, I'd love to make sure we use every avenue available to us to secure the platform, but heck, our users are just thumbing their noses at the rest of the OS world, and gosh, but it's fun to see - I say let's just live with the holes." "Sounds good to me, Phil - thanks for the insight. Now, about that MacBoy Advance SP that Scooter's been working on..."
Parent
Occam's Razor (Score:3, Insightful)
So please explain to all of us why we have no viruses on the Mac yet, even with some tens of millions of fairly homogoneous computers around (same OS, same patches, much of the same hardware) in a world where botnets of even just a hundred thousand nodes bring in real money. There is financial incentive enough for the macs to hav
Re: (Score:3, Insightful)
Where the hell did I say Windows is more secure than OS X?
You were responding in a thread discussing the relative security of Windows and OS X and whether or not market share was the only factor. You then made the statement, "Sonny, I write device drivers for a living, on Linux and on Mac. I assure you, the Mac isn't more secure." Since that was the first mention of Linux, I, and probably most other readers assumed the first sentence was a statement of your credentials while latter comment was regarding
Doesn't work for me (Score:5, Interesting)
Either way, already addressed (Score:3, Interesting)
I could not. And only one person I know could. Other people had to heavily modify the script and run QT Player in gdb along with some other voodoo to get it to exploit properly. Doesn't seem like this will cause much harm.
Either way, a third party developer already fixed this [unsanity.org] crasher.
There are likely thousands of security problems (Score:2)
(Note that I own and enjoy using a MacBook, so I'm not blindly Apple-bashing.)
The complexity is the first problem. The second is that almost all of the code was written in an insecure manner. No one was doing code-level security reviews on QuickTime and Quartz and all the other bits of OS X. And even if you did, squashing all potential overflow/overwrite bugs in a language like C is essentia
Re: (Score:2, Interesting)
Not to minimise these problems... (Score:2)
I'm more concerned with the fact that Safari uses the same URI handler and helper database as Finder (LaunchServices) and that Apple is more interested in giving people a false sense of security with pop-up dialogs than changing the API slightly to make it inherently secure.
* Split LaunchServices up into "web oriented" applications that are indended for use with untrus
These people read their own press releases (Score:3, Insightful)
Doesn't work (Score:3, Informative)
Timing (Score:3, Interesting)
OK (Score:2, Funny)
Sorta works on a macbook pro (Score:4, Interesting)
Snips from my crash log:
OS Version: 10.4.8 (Build 8N1051)
Report Version: 4
Command: QuickTime Player
Path:
Parent: WindowServer [57]
Version: 7.1.3 (7.1.3)
Build Version: 65
Project Name: QuickTime
Source Version: 4650000
PID: 9548
Thread: Unknown
Exception: EXC_BAD_INSTRUCTION (0x0002)
Code[0]: 0x00000001
Code[1]: 0x00000000
Unknown thread crashed with X86 Thread State (32-bit):
eax: 0xffffffff ebx: 0x41414141 ecx: 0x900012f8 edx: 0xffffffff
edi: 0x41414141 esi: 0x41414141 ebp: 0xdeadbabe esp: 0xbfffd628 (hello deadbabe!)
ss: 0x0000001f efl: 0x00010286 eip: 0x918bef3a cs: 0x00000017
ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037
Not so good.
Re:QuickTime runs on Windows too... (Score:5, Informative)
Parent
Re:QuickTime runs on Windows too... (Score:5, Informative)
-Eric
Parent
Re:And a negative side effect? (Score:4, Interesting)
Parent
Re: (Score:3)
Or is the parent just full of lies, FUD and other unpleasant and damaging stuff?
Re:good thought but I wonder (Score:5, Informative)
Parent
Re:good thought but I wonder (Score:5, Insightful)
It's more like finding a bank vault open and shouting out, "Hey, everyone, this bank has left its vault open with your money in it."
Parent
Re:good thought but I wonder (Score:5, Insightful)
-Eric
Parent
Re:good thought but I wonder (Score:5, Insightful)
Next a Bad guy may not have the key, but once he knows the key is missing he will start looking around for the guy who found the key and take it away from him. It is more like the key is hidden under the welcome mat. And the guy found it one day then blabbed about it to everyone even outside the apartment.
As a land lord myself I know, some jobs can't be done right away. Some things espectially changing all the locks takes time including finding the residence and giving them the new key before they leave. so you can change their locks. Also the time to fix all the locks, dealing with people who think there lock should be replaced first, others who love their lock so much they don't want to change it. Some people creek in fear when the land lord knocks figuring they will evict them with a blink of an eye. (even though it is expensive to leave a room vacent)
Parent
Re: (Score:3, Interesting)
Gray Hat hacking is like discreetly telling the guy that his car door is open, waiting for a while to give him a chance to lock his door, then yelling "Hey This Car Door is Open and all the valuables are inside". The most hotly debated item is how long the waiting part of "waiting for a while to give him a chance" should be because there is no clear consensus on how long it should
Re: (Score:2)
This particular option isn't really available in this case, is it? They don't control the OSX source code, Apple does.
It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked.
Bit of a problem with this analogy too. The "door" in question is controlled/lockable only by the person who owns the house (
A Fine Plan (Score:2)
There really is a long-term benefit from good behavior on the part of corporations: your customers will actually go out of their way to help you.
Unlike macobserver, who seems to think things like security holes
Re:good thought but I wonder (Score:4, Interesting)
Black hats are interested in profiting from their knowledge of vulnerabilities. These guys aren't.
I disagree. Black hats are interested in illegally profiting from vulnerabilities. White hats are interested in legally and ethically benefiting from vulnerabilities. Grey hats are interested in benefitting from security exploits in ways that are unethical and questionably legal.
They want them to be fixed and know that even the deified Apple won't allocate resources to fixing problems that have a low profile.
No, these guys want publicity for themselves. Apple has been quite responsive to security researchers and most that I know think Apple has been doing a pretty reasonable job. If you're going to argue that bugs need to be publicly released because Apple won't fix them otherwise, you need to support that assertion. Even then, what is your justification for not releasing it immediately, but doling them out more slowly? That doesn't benefit anyone but these researchers for whom it provides prolonged media exposure they hope to gain from financially.
So they're out to raise the profile of each problem.
Raising the profile of a problem makes sense, if it is being exploited in the wild or if you've contacted the vendor and they're dragging their heels while people are at risk. Otherwise, it is simply harmful to everyone involved.
Much better than using the vulnerabilities to build Mac-based botnets...
Ahh, the classic "we're not as bad as China" argument. Doing something unethical isn't made any less unethical by the fact that someone else is doing something even more unethical. These guys obviously are interested in one thing, getting themselves in the news to make themselves money.
Parent
Re:At this rate (Score:5, Insightful)
Parent
Re: (Score:2, Redundant)
But as another comment has pointed out, this is a month of Apple bugs, not OS X bugs.
Re: (Score:2)
Re: (Score:3, Insightful)
I guess that depends on your defenition of third party. To me, neither IE nor Quicktime are not third party applications as they are made by the same company. The differentiation that you may be looking for is whether these are core system applications or optional (secondary) applications. While both bundled are with the OS, MS has constantly said that IE is a part of the OS and cannot be removed. Quicktime and Safari ca
Re:I have a dumb question..... (Score:4, Insightful)
The reality distortion field you cite is warping your perspective. Apple is actually not particularly litigious compared to most companies their size. To my knowledge they've never sued anyone for publicizing bugs. They don't even normally go after publications that intentionally publicize their trade secrets unless they admit having obtained those secrets from an insider Apple does not know the identity of, and in the one case of that, they sued only for the name of the informant, not for any damages against the publication. The thing is, the litigation they do enegage in, is often highly publicized, making it seem as though they are very litigious.
So to answer your question, if they have a reasonable grasp on reality, no they aren't worried about being sued.
Parent
Re: (Score:2)
A much better approach: Find 90 bugs, give Apple 30 days to fix them, and release those that were fixed along with those that were not fixed.
That would either show whether Apple takes security seriously, without exposing the user base to added security risks.
Wait. (Score:3, Insightful)
Re: (Score:3, Informative)
It's not calling curl or the shell from memory, it appears (from the description) to be a return-to-libc-attack. I am not an expert on this particular thing, but a return-to-libc attack is where you use a buffer overflow to overwrite the return address of the stack frame. Under normal circumstances, the rtsp URL parser would return to his calling function, but if an overflow overwrites the return address, you can basically rewrite the stack's memory of who called the URL parser in the first place. So, in