Month of Apple Bugs - First Bug Unveiled 240
ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"
Re:And a negative side effect? (Score:4, Interesting)
Doesn't work for me (Score:5, Interesting)
Re:No problem! (Score:1, Interesting)
Macs had viruses in the past. OS X hasn't had any yet. OS X has had security holes, which could have allowed viruses threw it but Apple patches them rather quickly before any can actually spread. Plus unlike Windows virus it actually takes a person who actually knows stuff to make an OS X virus. Most Windows virus take advantage of easy to make Active X controls, VB Scripts in applications, and a bunch of other crap that Microsoft put in their OS During the 90's because they wanted to make sure their products could do more then their competitors and because no one cared about security (well not everyone I am on record stating that Active X controls when they were released would open a nasty can of worms becuse trust base security will not work... And I was right) So they all got Outlook so people can fill out forms on their email and submit them, they had word and excel that could do anything under the sun. Now it is biting back for MS. Now Apple OS X was redesigned with a 21 centrery mindset on security. But as times goes on Apple is putting more and more features to the OS many of them are scary in security terms such as integration of iChat and and the other iApps the Automater and other things which could lead to security problems in the future.
Re:good thought but I wonder (Score:3, Interesting)
Gray Hat hacking is like discreetly telling the guy that his car door is open, waiting for a while to give him a chance to lock his door, then yelling "Hey This Car Door is Open and all the valuables are inside". The most hotly debated item is how long the waiting part of "waiting for a while to give him a chance" should be because there is no clear consensus on how long it should be. Vendors believe that the waiting time should be until the vendor announces the vulnerability, which may be 'never'. Some Gray Hats believe that a vulnerability should be publicized as soon as it is discovered.
The biggest issue is that vendors rarely say how to report security vulnerabilities in a way that the vendor will acknowledge that it has been made aware of the potential vulnerability. This lack of acknowledgment is the primary reason for Gray Hats having to publicize the vulnerability. Another big issue is that security engineers live and die by being the first to report a vulnerability -- and vendors don't usually give credit to the engineer who reported the vulnerability to them. Even if a patch for a serious vulnerability is released the vendor may not even acknowledge that a serious vulnerability has been patched.
Re:There are likely thousands of security problems (Score:2, Interesting)
Re:good thought but I wonder (Score:4, Interesting)
Black hats are interested in profiting from their knowledge of vulnerabilities. These guys aren't.
I disagree. Black hats are interested in illegally profiting from vulnerabilities. White hats are interested in legally and ethically benefiting from vulnerabilities. Grey hats are interested in benefitting from security exploits in ways that are unethical and questionably legal.
They want them to be fixed and know that even the deified Apple won't allocate resources to fixing problems that have a low profile.
No, these guys want publicity for themselves. Apple has been quite responsive to security researchers and most that I know think Apple has been doing a pretty reasonable job. If you're going to argue that bugs need to be publicly released because Apple won't fix them otherwise, you need to support that assertion. Even then, what is your justification for not releasing it immediately, but doling them out more slowly? That doesn't benefit anyone but these researchers for whom it provides prolonged media exposure they hope to gain from financially.
So they're out to raise the profile of each problem.
Raising the profile of a problem makes sense, if it is being exploited in the wild or if you've contacted the vendor and they're dragging their heels while people are at risk. Otherwise, it is simply harmful to everyone involved.
Much better than using the vulnerabilities to build Mac-based botnets...
Ahh, the classic "we're not as bad as China" argument. Doing something unethical isn't made any less unethical by the fact that someone else is doing something even more unethical. These guys obviously are interested in one thing, getting themselves in the news to make themselves money.
Timing (Score:3, Interesting)
Re:QuickTime runs on Windows too... (Score:1, Interesting)
I'd be interested to see what they define as "Apple". Do they mean just Apple software, or software that's bundled by Apple? For example, an update last year added in the Macromedia Flash player. I would imagine that that is riddled with security holes.
There's a reason I browse with all plugins disabled, you know...
Explain the logic... (Score:4, Interesting)
Huh? Apple's users are to blame for Apple's work with security researchers?
Imagine that meeting - "Steve, I'd love to make sure we use every avenue available to us to secure the platform, but heck, our users are just thumbing their noses at the rest of the OS world, and gosh, but it's fun to see - I say let's just live with the holes." "Sounds good to me, Phil - thanks for the insight. Now, about that MacBoy Advance SP that Scooter's been working on..."
Re:Doesn't work (Score:2, Interesting)
Sorta works on a macbook pro (Score:4, Interesting)
Snips from my crash log:
OS Version: 10.4.8 (Build 8N1051)
Report Version: 4
Command: QuickTime Player
Path:
Parent: WindowServer [57]
Version: 7.1.3 (7.1.3)
Build Version: 65
Project Name: QuickTime
Source Version: 4650000
PID: 9548
Thread: Unknown
Exception: EXC_BAD_INSTRUCTION (0x0002)
Code[0]: 0x00000001
Code[1]: 0x00000000
Unknown thread crashed with X86 Thread State (32-bit):
eax: 0xffffffff ebx: 0x41414141 ecx: 0x900012f8 edx: 0xffffffff
edi: 0x41414141 esi: 0x41414141 ebp: 0xdeadbabe esp: 0xbfffd628 (hello deadbabe!)
ss: 0x0000001f efl: 0x00010286 eip: 0x918bef3a cs: 0x00000017
ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037
Not so good.
I've implemented a fix for this issue (Score:2, Interesting)
I tracked down the issue and created a runtime fix using Unsanity's Application Enhancer. The overflow is in the QuickTime Streaming component's INet_ParseURLServer() function -- the fix patches that function and pre-validates the URL before passing it off to the real function implementation. If the URL is too long, the patch replaces the Evil URL with a benign, but invalid one, and then calls the original function.
It's worth noting that disabling RTSP, as noted elsewhere, is not sufficient -- there are other vulnerable entry-points to INet_ParseURLServer(), as it is used for generic URL parsing.
More information is available here:
http://www.unsanity.org/archives/mac_os_x/the_mont h_of_trolly_trolls_and.php [unsanity.org]
and the patch (with source!) can be downloaded here:
http://landonf.bikemonkey.org/code/macosx [bikemonkey.org]
You can test the fix (make sure to log out and log back in after installing APE!) in Safari (or Firefox) by visiting this URL:
http://landonf.bikemonkey.org/static/rtsp_crash.ht ml [bikemonkey.org]
If you're using Safari, QuickTime should display a "bad address" error once the patch is installed. If the patch isn't installed, Safari will crash.
Either way, already addressed (Score:3, Interesting)
I could not. And only one person I know could. Other people had to heavily modify the script and run QT Player in gdb along with some other voodoo to get it to exploit properly. Doesn't seem like this will cause much harm.
Either way, a third party developer already fixed this [unsanity.org] crasher.