Forgot your password?
typodupeerror
OS X Operating Systems Bug Security

Month of Apple Fixes 177

Posted by kdawson
from the mister-fixit dept.
das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."
This discussion has been archived. No new comments can be posted.

Month of Apple Fixes

Comments Filter:
  • by daveschroeder (516195) * on Tuesday January 02, 2007 @05:34PM (#17435922)
    Kevin Finisterre, security researcher, founder of Digital Munition [digitalmunition], and co-presenter of the Month of Apple Bugs [info-pull.com], has also responded on the SecurityFocus focus-apple list [securityfocus.com] to some of my concerns [securityfocus.com], expanding on some of the motivations and reasoning behing MOAB (followup [securityfocus.com]).

    Also, the second bug was just posted a few minutes ago: a udp:// URI handling vulnerability in VLC Media Player [info-pull.com] that affects both the Mac OS X and Windows versions of VLC Media Player. While not exactly what I'd call an "Apple bug" (yes, yes, I know the FAQ says they're also looking at "popular applications" that run on Mac OS X as well), it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X...

    In any event, Apple's immediate technical response and longer-term strategic response to MOAB should be interesting.

    (Disclaimer: I am the story submitter.)
    • by 0racle (667029) on Tuesday January 02, 2007 @05:46PM (#17436054)
      Month of apple bugs over in one Bug? They had to go to an application already? Also, who would have known, an application writer that makes a mistake on one platform might make that same mistake on another.
    • Re: (Score:2, Insightful)

      by Otter (3800)
      Man, they're really scraping the bottom of the barrel, and it's only January 2nd! A string handling vulnerability in a cross-platform app I've never heard of? They should at least have been able to make it to the end of the BCS before resorting to filler like that.
      • Re: (Score:3, Funny)

        by drinkypoo (153816)
        On one hand you're right. On the other hand, if you've never heard of vlc, you've been living under a fucking rock.
        • by Otter (3800) on Tuesday January 02, 2007 @06:16PM (#17436380) Journal
          See, the point of switching back to Mac from Linux for recreational desktop use is that I just click on files and they play. If I wanted abuse for not being familiar with some media player minutia, I'd still be in #mplayer trying to figure out what to install to view a WMV.
          • Re: (Score:3, Insightful)

            by fishbot (301821)
            WMVs played out of the box on your Mac? You didn't need Flip4Mac or anything else? How did you manage that, then?
            • by node 3 (115640)

              WMVs played out of the box on your Mac? You didn't need Flip4Mac or anything else? How did you manage that, then?
              No, but it's much[*] easier to get them working on a Mac than it is on Linux.

              [*] My entry in the "Understatement of the Year Award for 2007".
          • by delire (809063)
            .. while others are switching from OS X to Linux because they feel more comfortable about the transparency under which security vulnerabilities are handled..

            Anyway, as on Linux and on OS X, if you install mplayer you'll still need to find external support to play WMV's. Just as on OS X, as on Linux, if you install VLC [videolan.org] you can click a WMV and it'll play.
            • by Goaway (82658)
              while others are switching from OS X to Linux because they feel more comfortable about the transparency under which security vulnerabilities are handled.

              "Others"? There are two of you?
          • by drinkypoo (153816)

            See, the point of switching back to Mac from Linux for recreational desktop use is that I just click on files and they play.

            sure, unless you want to play them full screen when the author doesn't want you to - you actually have to pay for quicktime pro for that.

            Or unless you want to play ogg vorbis or theora content, you'll need to install additional software.

            Or unless you want to play any of these: FLV, Flash Screen Video, or AVIs with AAC, AC3, H.264, MPEG4, or VBR MP3 audio. Which is why there's

            • by Hes Nikke (237581)
              i've found that Quicktime Pro + Flip4Mac + some divx dirivitive does give VLC a run for it's money on my mac mini attached to my TV, particularly from a UI point of view.*

              now if i don't have the time to set everything up so that it purrs, i'll throw VLC onto a system.

              *i'm sure front row will be just stellar with this setup, but i have a PPC in my mini, so apple said "wait 'till leapard... or install an older version of OS X and patch it." sometimes apple's idiotic policies (.mac, quicktime pro, front row be
            • by Goaway (82658)
              Or you could just install vlc and update it occasionally, since it seems to correctly play more media formats than any other player - and that definitely includes Apple's Quicktime.

              Mac users actually appreciate well-designed interfaces, so that's not really an option.

              It's kind of sad when a program is beaten on interface design by mplayer, of all things.
              • by drinkypoo (153816)

                Mac users actually appreciate well-designed interfaces, so that's not really an option.

                If you don't like the interface that comes with vlc, pick another one [videolan.org]. Incidentally I've found quicktime to be one of the most annoying fucking apps ever. The wanky little pull-outs that slide out unnecessarily are just stupid. I guess "pretty" is what stands in for "well designed" in apple-land these days.

                • by Goaway (82658)
                  Skins? We don't "skin" apps on OS X. And does it have a skin that makes the preferences window usable by humans?

                  And when did you last use Quicktime? It hasn't had any sliding drawers for years and years.
                  • by drinkypoo (153816)

                    Skins? We don't "skin" apps on OS X.

                    I'm sorry to hear that application developers don't offer you the same flexibility on OSX that we tend to get everywhere else.

                    And does it have a skin that makes the preferences window usable by humans?

                    Most people will never need to mess with the preferences window at all. I've looked at it a zillion times but never actually changed anything.

                    And when did you last use Quicktime? It hasn't had any sliding drawers for years and years.

                    Apparently that's how long

                    • by Goaway (82658)
                      I'm sorry to hear that application developers don't offer you the same flexibility on OSX that we tend to get everywhere else.

                      The flexibility to choose between a wide array of interfaces that are consistent only in their all being horrible to use is not really considered a feature. We like interfaces that look like the rest of the OS, and behave in ways specified by the HIG. I do not feel the need to put stickers and custom rims on my car, and I do not feel the need to rice my computer, either.

                      Most people w
                    • by drinkypoo (153816)

                      It used to be that there were important interface guidelines that users expected applications to respect, so arbitrary skins didn't really make sense. Of course now that Apple doesn't seem to worry so much about those "trivial" matters I suppose skinning will become more commonplace.

                      Yeah, I started to get my back all up but luckily I finished reading your comment. Apple has three widget sets and they use them all in currently shipping versions of OSX. They have also apparently forgotten everything they

            • by sqlrob (173498)
              sure, unless you want to play them full screen when the author doesn't want you to - you actually have to pay for quicktime pro for that

              Or learn a little scripting. Apple didn't learn the "if you don't want it used, don't ship it" tenet of security. The full screen functionality (at least it used to be) was easily accessible with AppleScript, even without pro.
              • by drinkypoo (153816)

                sure, unless you want to play them full screen when the author doesn't want you to - you actually have to pay for quicktime pro for that

                Or learn a little scripting. Apple didn't learn the "if you don't want it used, don't ship it" tenet of security.

                That's not really a security issue because Quicktime and Quicktime Pro are the same software. Quicktime is simply crippleware based on the regkey - features are disabled. Want proof? The same download works for both quicktime and quicktime pro, and the dif

                • by sqlrob (173498)
                  That's not really a security issue because Quicktime and Quicktime Pro are the same software.

                  Yes, it is a security issue, but only from Apple's point of view. Customers are getting something they didn't pay for. That's a hole in the implementation. The only truly secure implementation would be to not ship the feature in the lite version.

                  odds of the average user writing an applescript to fullscreen quicktime is basically nil compared to the odds of them downloading VLC

                  Not when it's easy to find and do [macosxhints.com]. It's
            • by iroll (717924)
              If you can spend an afternoon or two googling around to figure out wtf happened to sound AND video during a routine install of Debian and call that "progress*," you will think the hack for making Quicktime fullscreen for free is a snap.

              *Granted, last time I did this was 2 years ago, I'm sure things have progressed.
              • by drinkypoo (153816)

                If you can spend an afternoon or two googling around to figure out wtf happened to sound AND video during a routine install of Debian and call that "progress*," you will think the hack for making Quicktime fullscreen for free is a snap.

                Eh, shit happens. But that's pretty irrelevant when we're talking about a mac. The clueful will figure it out, but most people are not clueful. Most people are fucking lames. Which is why the mac has one button :D (sorry, couldn't resist)

          • by Ash-Fox (726320)
            I'd still be in #mplayer trying to figure out what to install to view a WMV.
            ffmpeg supports WMV9 already... What would you need to figure out in mplayer? It should work just fine.
          • having to re-apply a collection of kernel patches for the USB drivers every time I got a kernel update. (This was back in early 2.4, you understand).

            These days, it's Linux goes on the back end machine, OS X on the front end, and Windows off the deep end.
        • Surely you meant "On the other hand, if you've never heard of vlc, you're one of maybe 95% of computer users."

          Most people have never heard of VLC, because they don't live for their computer. They actually do other stuff, and don't care to go finding software like this. I've mentioned it to a few people, and none had heard of it.

          Slashdot != normal people
          • It's popular enough that every minor release was posted to /. *and* it plays videos I wasn't able to play with QuickTime. I've used it for years.
            • I use VLC as well, and have for a few years. It's a great addition to my computer, although the UI is pretty awful (but getting better in leaps and bounds).

              That doesn't mean it's popular though. I still don't know anyone outside of tech-based websites who's heard of it when asked.
          • by drinkypoo (153816)

            Surely you meant "On the other hand, if you've never heard of vlc, you're one of maybe 95% of computer users." Most people have never heard of VLC, because they don't live for their computer. They actually do other stuff, and don't care to go finding software like this. I've mentioned it to a few people, and none had heard of it. Slashdot != normal people

            Actually, I was talking about slashdotters, of which he is one. As you point out, this is slashdot. VLC releases hit the front page. He should really

        • by soft_guy (534437)

          On one hand you're right. On the other hand, if you've never heard of vlc, you've been living under a fucking rock.
          That's a pretty broad definition of "living under a rock". Lots of people who use computers every day haven't heard of VLC. They aren't living under rocks, they just aren't geeks.
    • by Space cowboy (13680) * on Tuesday January 02, 2007 @06:31PM (#17436554) Journal
      So

      [simon:~] simon% vlc
      tcsh: vlc: Command not found.
      [simon:~] simon% perl VLCMediaSlayer-x86.pl
      jump address is: 0x41424344
      writing to file: pwnage.m3u
      [simon:~] simon% open pwnage.m3u
      [simon:~] simon% (opens iTunes)

      the application for this second bug is not even shipped on Mac's by default! Meaning that this completely 3rd-party software, if installed onto a Mac, can cause problems with the Mac. And this is Apple's problem how, exactly ?

      Simon
    • by fishbot (301821)
      "it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X..."

      You appear to have completely missed the phrase "Both x86 and PowerPC versions are provided." in the reproduction steps section. The problem is that, like many people these days, you see an apparent coincidence (that both use the same architecture, even though it's a false observation) and assume causality. If you write code with a buffer overflow and compile it
    • by daveschroeder (516195) * on Tuesday January 02, 2007 @06:51PM (#17436730)
      See here [videolan.org] for details.
  • Thanks. (Score:2, Insightful)

    by easter1916 (452058)
    Thank you, Landon.
  • by PurifyYourMind (776223) on Tuesday January 02, 2007 @05:44PM (#17436040) Homepage
    Apple products don't have bugs. They have worms.
  • The acronym MOAB has already been taken http://en.wikipedia.org/wiki/Massive_Ordnance_Air_ Blast_bomb [wikipedia.org]
    To prevent confusion I propose it should be Apple Month of the Bugs. AMOB
  • privsep? (Score:3, Interesting)

    by emil (695) on Tuesday January 02, 2007 @06:00PM (#17436216) Homepage

    I realize that the idea is just catching on in IE and has not been implemented anywhere else, but why doesn't Safari setuid() the rendering engine to guest (or some other nonprivileged user)?

    Is this feature in the works? I certainly hope so.

    • Re: (Score:3, Insightful)

      by cswiger2005 (905744)
      You could probably try doing this yourself:

      chown unknown /Applications/Safari.app/Contents/MacOS/Safari
      chmod u+s unknown /Applications/Safari.app/Contents/MacOS/Safari ...and you'll probably need to also change the following:

      chown -R unknown ~/Library/Caches/Safari
      chown -R unknown ~/Library/Safari
      • by emil (695)

        I think that the program must explicitly set a new userid; the real, effective, and saved userids are not changed by the permissions on the file. The file permissions merely allow these functions to be called, they do not change ownership - this must be explicitly done in C. I can verify this in my Stevens book if you want.

        So... without help in the Safari binary, it will not be running with less privilege regardless of the permissions.

        • For a program to change UID/EUID to another user, it needs to have superuser permissions. We're not going to gain in security by making Safari setuid-root or encouraging someone to browse the web as root (most likely).

          Making Safari setuid via the filesystem requires fewer changes and no need for superuser.
          • by emil (695)

            For a program to change UID/EUID to another user, it needs to have superuser permissions. We're not going to gain in security by making Safari setuid-root or encouraging someone to browse the web as root (most likely). Making Safari setuid via the filesystem requires fewer changes and no need for superuser.

            It most certainly does not:

            $ cc -o uidtest uidtest.c
            $ cat uidtest.c
            #include <stdio.h>
            #include <unistd.h>

            main()
            {
            int x;

            x = getuid();
            printf("%d\n", x);
            x = geteuid();
            p

            • For a program to call setuid(), it needs to have superuser permissions. For a program to be made setuid via the filesystem, you have to invoke chmod via "su". Unless you make the program setuid-root, it cannot change the user information to some arbitrary other user.
    • I realize that the idea is just catching on in IE and has not been implemented anywhere else, but why doesn't Safari setuid() the rendering engine to guest (or some other nonprivileged user)?

      First, let me make one point clear. This is not "just catching on in IE", it has been used for running potentially exloitable applications in UNIX for decades. It's a last resort when applied to interactive programs... it's usually used with applications that are running unattended and providing services to the outside
      • First, let me make one point clear. This is not "just catching on in IE", it has been used for running potentially exloitable applications in UNIX for decades.

        Internet Explorer is currently the only browser that implements this technique, and it does so only on Vista (AFAIK).

        I've repeatedly argued that the fact that the local user runs with lower privileges on Mac OS X than on Windows is not nearly as important as Mac fanatics make out.

        I run as a restricted user on Windows, and I use RunAs to elev

  • Unabomber. (Score:3, Informative)

    by CODiNE (27417) on Tuesday January 02, 2007 @06:07PM (#17436294) Homepage
    Nice pic of the unabomber sketch on the release page... quite telling.
  • by SuperKendall (25149) on Tuesday January 02, 2007 @06:15PM (#17436370)
    From the other thread, it appeared that no Mac owner posted saying that they had been able to replicate the results - the people that did post results said the quicktime file given crashed Quicktime, but did not run the payload target. Simply being able to crash an application is not the same as actually executing arbitrary code.
    • Re: (Score:2, Informative)

      by paimin (656338)
      I tried the exploit on my Powerbook G4, and it did crash Quicktime, but no payload here as well.
    • I finally got a chance to try the exploit on my own Macbook Pro, where it did not work.

      Given that the Ruby script is slightly flawed, how are we to assume that they are even capable of coming up with a real exploit instead of just crashing applications?

      Month of Apple Bugs, indeed! Given the second bug (an error in VLC! Oh My!) I think the whole effort is going to backfire and point, correctly or not, as a shining example as to the lack of serious problems in OS X itself (unless they are saving something
  • I bet they find the Mother Of All Bugs during the Month of Apple Bugs. Will S. Jobs have to take Management Of Aggressive Behavior classes so as not to snap under the strain? I sense the Mother Of All Battles coming from the Apple fanbase.
    Microsoft Often Anticipates Bugs, but they have a "fix it after it shows itself" policy. Maybe Our Apple Boys will take security more seriously now.
    May Omnipotent Allah Bless their efforts.
  • So far it's 50% Apple Bugs.

    No wonder this guy's hiding.

    • I just verified myself - the proof of concept exploit for the bug that was actually an Apple bug did not work. Crashing Quicktime is not the same as an exploit that executes arbitrary code, obviously an actual exploit is more complex than he thought. Or perhaps I should use the phrase "Imagined" since we have yet to see a single post from a user that got the exploit to work.
      • Apparently it works on *some* machines.

        Someone, I think it was Macslash reported that a few machines got the full exploit, while most simply got the crash. Crashes aren't good, but they're hardly arbitrary code execution, either.

        Also - I seem to remember hearing that the newest intel chips have hardware protection that prevents the execution of code loaded into data buffers (i.e., buffer overrun attacks) - could that have an effect?
        • Someone, I think it was Macslash reported that a few machines got the full exploit, while most simply got the crash.

          I've posted on Macslash, and Digg as well looking for anyone who can reproduce the results (and now have tried it myself on my own Macbook Pro) - I have yet to see a post saying it works on thier computer. On the website they have a shell exploit version which they gaurantee works "but you have to verify with a debugger". to the naked eye, it also crashes Quicktime with no other result.

          Even
        • by LizardKing (5245)

          I seem to remember hearing that the newest intel chips have hardware protection that prevents the execution of code loaded into data buffers (i.e., buffer overrun attacks) - could that have an effect?

          Don't know, however the "exploit" doesn't work on my PowerPC based Mac either.

  • A VLC bug is an Apple Bug?

    Well, if that qualifies maybe they should start looking into MS Office for Apple bugs......
    • Re: (Score:3, Interesting)

      In the sense that it affects Apple machines, sure.

      But, yeah, it's kind of weak. If this is the best they can come up with, Apple can rest easy.
  • because they call Mac fanboys crackheads on their front page.
  • Terrorists Lose!
  • by toby (759) *
    The obvious way to handle it, I thought [slashdot.org] when the story broke last month...
  • ...in a few days the MacWorld Expo keynote will be done and everyone will be writing and blogging about that, MOAB never to be heard again.

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Working...