Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Apple Businesses

Month of Apple Bugs - First Bug Unveiled 240

Posted by Zonk from the apple-must-be-so-proud dept.
ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"
This discussion has been archived. No new comments can be posted.

Month of Apple Bugs - First Bug Unveiled More

Month of Apple Bugs - First Bug Unveiled

Comments Filter:

  • Re:QuickTime runs on Windows too... (Score:5, Informative)

    by antime ( 739998 ) on Tuesday January 02, 2007 @09:56AM (#17431014)
    RTFA:
    Affected versions

    This issue has been successfully exploited in QuickTime(TM) Version 7.1.3, Player Version 7.1.3. Previous versions should be vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected.

  • removed, but... (Score:3, Informative)

    by ens0niq ( 883308 ) on Tuesday January 02, 2007 @09:59AM (#17431036)
    Credit line removed by the editor, but i found this report on HUP [hup.hu].

  • Re:good thought but I wonder (Score:5, Informative)

    by jellomizer ( 103300 ) * on Tuesday January 02, 2007 @10:02AM (#17431052)
    These people are doing Gray Hat hacking. Where like the White Hats their goal is not to do damage to others people computers, but like the black hats feel that people need to feel a little pain before anything can get done and just reporting the problems to the company is not effective enough to get it done. It falls in the range of legal hacking, But it may not be the most moral way of doing it though. It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked. Or just locking the door yourself.

  • Re:QuickTime runs on Windows too... (Score:5, Informative)

    by elrous0 ( 869638 ) * on Tuesday January 02, 2007 @10:20AM (#17431176)
    You'll note that it's the "Month of *APPLE* Bugs," not the month of OS X bugs.

    -Eric

  • Re:No problem! (Score:4, Informative)

    by Jeff DeMaagd ( 2015 ) on Tuesday January 02, 2007 @10:36AM (#17431314) Homepage Journal
    I've seen several instances where Apple was aware of a bug but waited months to fix it. Heck, the Quicktime bug that permitted the MySpace virus still runs free according to the last security thread at AppleInsider.

  • Doesn't work (Score:3, Informative)

    by matth ( 22742 ) on Tuesday January 02, 2007 @10:46AM (#17431428) Homepage
    I tried the exploit.. doesn't work on my macbook.

  • I'm afraid you are incorrect, sir. (Score:2, Informative)

    by porkchop_d_clown ( 39923 ) <<moc.em> <ta> <zniehwm>> on Tuesday January 02, 2007 @11:19AM (#17431654)
    The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state...

    The wireless exploit did [cert.org] apply to Airport cards; but you are correct that researchers mishandled the disclosure - which, as I said, resulted in a lot of hard feelings on both sides.

  • Re:I'm afraid you are incorrect, sir. (Score:5, Informative)

    by 99BottlesOfBeerInMyF ( 813746 ) on Tuesday January 02, 2007 @11:44AM (#17431850)

    The wireless exploit did apply to Airport cards;

    It is my understanding that the vulnerability you reference as well as the other two they fixed were both the result of an internal audit of their wireless drivers and not the result of the exploit that was publicized. The issue is more than a little muddy, however, and I'd be grateful if you could provide a reference to show either way.

  • Comment removed (Score:2, Informative)

    by account_deleted ( 4530225 ) on Tuesday January 02, 2007 @12:47PM (#17432502)
    Comment removed based on user account deletion

  • Re:Looking for help understanding this. (Score:3, Informative)

    by iluvcapra ( 782887 ) on Tuesday January 02, 2007 @05:38PM (#17435958)

    It's not calling curl or the shell from memory, it appears (from the description) to be a return-to-libc-attack. I am not an expert on this particular thing, but a return-to-libc attack is where you use a buffer overflow to overwrite the return address of the stack frame. Under normal circumstances, the rtsp URL parser would return to his calling function, but if an overflow overwrites the return address, you can basically rewrite the stack's memory of who called the URL parser in the first place. So, instead of returning to where Quicktime called it, your computer can be tricked into returning to a different place in memory, like somewhere in libc. Libc has all kinds of dangerous functions, namely system(3), which accepts a string as an argument (which you have also put on the stack with your buffer overflow) and will run an arbitrary program on your computer (like curl, but bash and perl and ruby can do all kinds of damage).

    Of note is the fact that this exploit gets around NX, because your payload need not be executable, it merely is a return address and a string to pass into libc. Also of note is that this exploit does not cause privilege escalation; any processes started by the exploit will run under the privileges of the user who clicks on the file, and you will still get a sudo-dialog if the sploit tries to do things as wheel.

    If I am misreading this exploit, please correct me. They say "arbitrary code execution" in the summary.

Slashdot Top Deals

HELP!!!! I'm being held prisoner in /usr/games/lib!

Close