or Connect
AppleInsider › Forums › Software › Mac OS X › Apple patches QuickTime exploit published by MoAB website
New Posts  All Forums:Forum Nav:

Apple patches QuickTime exploit published by MoAB website

post #1 of 34
Thread Starter 
Apple on Tuesday released a security update for its QuickTime digital media software in response to a vulnerability discovered by security researchers associated with the Month of Apple Bugs website.

The Cupertino-based company said Security Update 2007-001 -- its first security update of the 2007 calendar year -- plugs an exploit where QuickTime users visiting maliciously crafted websites could fall victim to arbitrary code execution.

"A buffer overflow exists in QuickTime's handling of RTSP URLs. By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution," the company said. "A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007)."

Apple added that its fix for the issue includes performing additional validation of RTSP URLs.

The security update is available for QuickTime 7.1.3 on Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8, and Windows XP/2000.

The Month of Apple Bugs initiative is an effort by security analysts to improve Apple's Mac OS X operating system, uncovering and finding security flaws in different versions of the company's software and third-party applications.

Apple's security update released Tuesday targets the first of those reported flaws. The Month of Apple Bugs website has since gone on to list 21 additional vulnerabilities in Mac OS X related software, one for each day of the month.
post #2 of 34
I believe this was the first bug released during the Month of Apple Bugs.

Though fixing anything with even minimal security exploits is important, I can't help but laugh at what has been uncovered during this month so far. I also praise Apple for patching it within a few weeks. It takes time to figure out how to patch exploits and still maintain stability / compatibility.

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply
post #3 of 34
This fix is in line with the typical timing and attention given Apple security updates - relatively quick and competent.

This pretty much busts MOAB's claims of Apple's ignorance and/or hostility at bug reports.

Apple has been doing better than most, fixing 99.9% of their problems through their established channels without MOAB's brand of nonsense. IIRC a third of their "Apple Bugs" are 3rd party problems to begin with.

MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.
post #4 of 34
Quote:
Originally Posted by jpellino View Post

MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.

I agree. I personally think this was for attention over anything. They were / are publicly announcing the bugs without submitting to apple first. They made large statements about releasing a bug a day. They have insulted the user base. I'm over the MOAB at this point. They have released 2-3 that I know of and all have been 3rd party so far. Completely a waste of time if you ask me.

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply
post #5 of 34
Quote:
Originally Posted by emig647 View Post

I agree. I personally think this was for attention over anything. They were / are publicly announcing the bugs without submitting to apple first. They made large statements about releasing a bug a day. They have insulted the user base. I'm over the MOAB at this point. They have released 2-3 that I know of and all have been 3rd party so far. Completely a waste of time if you ask me.

Well, you are severely misstating the facts. Have a look at the MOAB page: http://projects.info-pull.com/moab/

Definitely not all 3rd party exploits and definitely more than 2 or 3 exploits.

Please don't interpret my comment as support for what MOAB is doing. I think it is reprehensible.
post #6 of 34
Luckily, beyond being reprehensible, they're also getting minimal coverage. Only Macintouch reports on their daily announcements.
post #7 of 34
Quote:
Originally Posted by spovich View Post

Well, you are severely misstating the facts. Have a look at the MOAB page: http://projects.info-pull.com/moab/

Definitely not all 3rd party exploits and definitely more than 2 or 3 exploits.

Please don't interpret my comment as support for what MOAB is doing. I think it is reprehensible.

I guess I should have been more clear. I have HEARD about 2-3 bugs this whole month. I frequent macnn, macdailynews, arstechnica, thinksecret, ai, macrumors, macworld... and i"ve only read about a few. If these other ones are so serious why haven't they been reported on?

Either way, sorry for the confusion. I still feel that these guys are stepping over the line.

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply
post #8 of 34
Does this even fix the virus issue that's hounded some Quicktimes posted to MySpace? It's been about six weeks and I have not heard of a resolution to that problem. This says RTSP, and I thought the MySpace issue was an HREF issue. It's an actual exploit being used in the wild, and I think it has been in operation since early December, if not earlier.
post #9 of 34
Quote:
Originally Posted by emig647 View Post

I guess I should have been more clear. I have HEARD about 2-3 bugs this whole month. I frequent macnn, macdailynews, arstechnica, thinksecret, ai, macrumors, macworld... and i"ve only read about a few. If these other ones are so serious why haven't they been reported on?

I wouldn't judge the severity based on what fan websites say or what they ignore. I'd go with something a little more independent.

Some of the stuff is a concern, privilege escalation and remote exploit.

Quote:
Originally Posted by jpellino View Post

Apple has been doing better than most, fixing 99.9% of their problems through their established channels without MOAB's brand of nonsense.

One would like to think so, but I've heard about several problems that were ignored for several months, so I think your number is too high. I really don't remember the specifics though. In one case, servers were switched to PPC Linux because of long standing issues interoperating with Windows servers.

Quote:
MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.

It is a piss fight isn't it? I wonder how much of it Apple fans are taking personally? How much of it is a retaliation against excessive smugness on the part of Apple fans? Apple fans don't always understand how irritating they can sound at times.
post #10 of 34
These MOAB people are like many other anti-Mac folks -- they see one of us make a statement like "there are currently no known viruses for OS X" and they interpret that as "Mac OS X cannot get a virus", which is in no way what was said.

No one ever said that the better design of OS X somehow prevented buffer overflows. That is inherent in any C code. And no one ever said that Mac OS X could not be victimized by a Trojan - any OS can. If the user agrees to execute your sudo rm -rf / shell script and type in their password, no OS is going to stop them.

However, I have looked at the examples these guys give, and I do not see any privilege escalation or demonstration of root. Kernel panic does not necessarily mean that you yourself were in the kernel.
--Johnny
Reply
--Johnny
Reply
post #11 of 34
Quote:
Originally Posted by JeffDM View Post

It is a piss fight isn't it? I wonder how much of it Apple fans are taking personally? How much of it is a retaliation against excessive smugness on the part of Apple fans? Apple fans don't always understand how irritating they can sound at times.

It goes both ways for the most part though.

Yah it's not wise to judge the severity based off of mac sites. BUT why hasn't anyone really been talking about it? Are all these just proof of concepts?

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply
post #12 of 34
I personally think the irresponsible idiots who call themselves researchers need to wake up and do things in a more professional way. They are as far as I personally can see are out to gain some brownie points for themselves.
post #13 of 34
Quote:
Originally Posted by Kolchak View Post

Luckily, beyond being reprehensible, they're also getting minimal coverage. Only Macintouch reports on their daily announcements.

No, I've seen it in many places, as well as being mentioned in the NYTimes.
post #14 of 34
I'd not have called Ars Technica a fan site exactly although the JoeyGracias of the world might disagree. They've been covering this quite responsibly with a weekly roundup of the MOAB bugs and a long discussion thread in their forum.

I'm sure the MOAB 'analysts' will make more press now though that Apple have fixed one of their exploits. It'll be something along the lines of them crowing that they've forced Apple to fix something quicker than normal, that Apple hasn't fixed the other 21 exploits (even though most aren't theirs or even important) and that 'smug' Mac users remain exploitable because Apple still has an insecure OS. Cue George Ou and Brian Krebs having an orgasm over this followed by Paul Thurrot and Rob Enderle wiping their chins.
post #15 of 34
Quote:
Originally Posted by aegisdesign View Post

I'd not have called Ars Technica a fan site exactly although the JoeyGracias of the world might disagree. They've been covering this quite responsibly with a weekly roundup of the MOAB bugs and a long discussion thread in their forum.

I'm sure the MOAB 'analysts' will make more press now though that Apple have fixed one of their exploits. It'll be something along the lines of them crowing that they've forced Apple to fix something quicker than normal, that Apple hasn't fixed the other 21 exploits (even though most aren't theirs or even important) and that 'smug' Mac users remain exploitable because Apple still has an insecure OS. Cue George Ou and Brian Krebs having an orgasm over this followed by Paul Thurrot and Rob Enderle wiping their chins.

So, you know Joey, do you?

There were a few even worse than him there. But, two of them got banned, and the other two simply left.

There is a big article about this "project" in the WSJ today.
post #16 of 34
Quote:
Originally Posted by melgross View Post

So, you know Joey, do you?

How can I not!

You have to wonder about people like that, that pop up in every thread about a computer platform they seem to so vehemently hate. What is that guys problem?

My other favourite troll is anthonyr who will jump in with how superior the Linux kernel is at any opportunity. He mostly knows his stuff but you know, who the f*ck cares?

Most of the time though Ars is one of the more informed sites and more balanced than the Mac sites or Anandtech/Toms on the PC side who seem to have serious editorial problems letting slip through articles that are flawed or biased.
post #17 of 34
caution:
the Security Update 2007-001 deleted all of my Safari bookmarks

on my MacBook Pro 10.4.8

someone at an Apple discussion page said it also: "completely blocked my aMule filesharing application"

use this security update with caution

anyone else having problems?
post #18 of 34
Quote:
Originally Posted by aegisdesign View Post

How can I not!

You have to wonder about people like that, that pop up in every thread about a computer platform they seem to so vehemently hate. What is that guys problem?

My other favourite troll is anthonyr who will jump in with how superior the Linux kernel is at any opportunity. He mostly knows his stuff but you know, who the f*ck cares?

Most of the time though Ars is one of the more informed sites and more balanced than the Mac sites or Anandtech/Toms on the PC side who seem to have serious editorial problems letting slip through articles that are flawed or biased.

I've had run-ins with both, but anthonyr is more reasonable, and his arguments are more nuanced.

Ever since Anand went out and bought a Mac, coverage there has gotten very interesting. He actually seems to prefer it, and uses it most of the time.

Since that first happened, anti-Mac commentary from the peanut gallery has dropped considerably. Loyalty to him is greater than the hatred of the Mac, it seems.
post #19 of 34
Quote:
Originally Posted by melgross View Post

I've had run-ins with both, but anthonyr is more reasonable, and his arguments are more nuanced.

Ever since Anand went out and bought a Mac, coverage there has gotten very interesting. He actually seems to prefer it, and uses it most of the time.

Since that first happened, anti-Mac commentary from the peanut gallery has dropped considerably. Loyalty to him is greater than the hatred of the Mac, it seems.

I've only been reading anandtech consistently for about 2 years now. Over all I have enjoyed and respected all of the articles off of that site. I really haven't seen any bias based reviews either..... though I have been lifting an eyebrow at the clovertown vs opteron review. We'll have to wait and see though. For the most part I think you're right that the pc followers of Anand are far great enough to be open minded towards a mac.

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply
post #20 of 34
Quote:
Originally Posted by emig647 View Post

I've only been reading anandtech consistently for about 2 years now. Over all I have enjoyed and respected all of the articles off of that site. I really haven't seen any bias based reviews either..... though I have been lifting an eyebrow at the clovertown vs opteron review. We'll have to wait and see though. For the most part I think you're right that the pc followers of Anand are far great enough to be open minded towards a mac.

In particular I thought the couple of articles they wrote about how bad Mac OSX was at running Mysql was flawed as it didn't actually delve into why MySQL runs more slowly and instead accused OSX's kernel design as the reason. They didn't look at the filesystem or assumptions MySQL was making. They just quoted benchmarks from a linux benchmark running on OSX. No analysis. If you're going to release something with fairly controversial findings then it would seem prudent to work out why if you're a tech site.

Of course, those articles then got quoted ad nauseum by the 'peanut gallery' as melgross so aptly put it. I think also that some of the peanut throwers have less ammo now that Apple is on Intel now. Before when they were on PPC, they could ignorantly claim superiority, even if it wasn't true. Now the hardware playing field is the same they can only argue about software and much fewer of them understand software.
post #21 of 34
Yes, I remember that article. I must admit I was a bit disappointed with it. But it made sense. How the threading in the Mach kernel is higher level than some other linux kernels. At least it made sense to me, but not knowing a ton about Mach, I pleasantly went along with it. Is this untrue or still up in the air? That is why I was hoping OS X was going to get a new kernel for 10.5. I use MySql and Oracle a lot and would love for these to be able to run on OS X machines just as quick as Linux. I respected that article from Anandtech because of the site's reputation. Perhaps I went along too sheepishly?

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply
post #22 of 34
Quote:
Originally Posted by emig647 View Post

Yes, I remember that article. I must admit I was a bit disappointed with it. But it made sense. How the threading in the Mach kernel is higher level than some other linux kernels. At least it made sense to me, but not knowing a ton about Mach, I pleasantly went along with it. Is this untrue or still up in the air? That is why I was hoping OS X was going to get a new kernel for 10.5. I use MySql and Oracle a lot and would love for these to be able to run on OS X machines just as quick as Linux. I respected that article from Anandtech because of the site's reputation. Perhaps I went along too sheepishly?

The threading issue was one big smelly red herring as they confused processes and threads.

The Apache benchmark is actually a bug in the benchmark - also present in the OpenBSD version - where it stalls causing bad results. The test wasn't very useful anyway as it wasn't real world.

I don't think anyone actually got down to the root of the MySQL issues. Ostensibly it was either an issue with syncing data to disk reliably (OSX does it, Linux doesn't), differences in filesystem (HFS+ v whatever they used on Linux) or potentially hardware.

Some of it was pulled apart on http://ridiculousfish.com/blog/?p=17

And on top of that, they were testing apples and oranges since IIRC they never tested Linux running on the same G5 hardware so they can't rule out hardware issues making the entire OS comparison pointless.

I wonder what the results would be on the Intel boxes now.
post #23 of 34
Quote:
Originally Posted by emig647 View Post

Yes, I remember that article. I must admit I was a bit disappointed with it. But it made sense. How the threading in the Mach kernel is higher level than some other linux kernels. At least it made sense to me, but not knowing a ton about Mach, I pleasantly went along with it. Is this untrue or still up in the air? That is why I was hoping OS X was going to get a new kernel for 10.5. I use MySql and Oracle a lot and would love for these to be able to run on OS X machines just as quick as Linux. I respected that article from Anandtech because of the site's reputation. Perhaps I went along too sheepishly?

There have been many complaints about Mach. It was thought that with Travinian (spelling?) leaving, it could be the end of Mach for OS X, but so far, this doesn't seem to be the case.
post #24 of 34
Quote:
Originally Posted by aegisdesign View Post

The threading issue was one big smelly red herring as they confused processes and threads.

The Apache benchmark is actually a bug in the benchmark - also present in the OpenBSD version - where it stalls causing bad results. The test wasn't very useful anyway as it wasn't real world.

I don't think anyone actually got down to the root of the MySQL issues. Ostensibly it was either an issue with syncing data to disk reliably (OSX does it, Linux doesn't), differences in filesystem (HFS+ v whatever they used on Linux) or potentially hardware.

Some of it was pulled apart on http://ridiculousfish.com/blog/?p=17

And on top of that, they were testing apples and oranges since IIRC they never tested Linux running on the same G5 hardware so they can't rule out hardware issues making the entire OS comparison pointless.

I wonder what the results would be on the Intel boxes now.

I think I read somwhere, that after 10.5 comes out, they will re-do the test.
post #25 of 34
Quote:
Originally Posted by melgross View Post

There have been many complaints about Mach. It was thought that with Travinian (spelling?) leaving, it could be the end of Mach for OS X, but so far, this doesn't seem to be the case.

Avie Tevanian. I still can't see them using a monolithic kernel though like Linux, not when multi core chips are gaining in popularity.

I wonder if they've used Mach on the iPhone or something like L4 since they've got much greater control over that.
post #26 of 34
Quote:
Originally Posted by aegisdesign View Post

The threading issue was one big smelly red herring as they confused processes and threads.

The Apache benchmark is actually a bug in the benchmark - also present in the OpenBSD version - where it stalls causing bad results. The test wasn't very useful anyway as it wasn't real world.

I don't think anyone actually got down to the root of the MySQL issues. Ostensibly it was either an issue with syncing data to disk reliably (OSX does it, Linux doesn't), differences in filesystem (HFS+ v whatever they used on Linux) or potentially hardware.

Some of it was pulled apart on http://ridiculousfish.com/blog/?p=17

And on top of that, they were testing apples and oranges since IIRC they never tested Linux running on the same G5 hardware so they can't rule out hardware issues making the entire OS comparison pointless.

I wonder what the results would be on the Intel boxes now.

I just read the article, and the responses. According to a number of them, who did tests, there could indeed be an Apple problem.
post #27 of 34
Quote:
Originally Posted by melgross View Post

I just read the article, and the responses. According to a number of them, who did tests, there could indeed be an Apple problem.

Possibly. Apple's relative silence on this may speak volumes although it's not unusual they're silent. Certainly needs a retest anyway.
post #28 of 34
Quote:
Originally Posted by aegisdesign View Post

I wonder if they've used Mach on the iPhone or something like L4 since they've got much greater control over that.

Using L4 for iPhone OS X would certainly trigger a lot more speculation about it being a Mach replacement for Mac OS X.
post #29 of 34
Be aware if you have any third party add-ons it is much better to disable them before installing any updates as they are known to cause issues.
post #30 of 34
Quote:
Originally Posted by rob05au View Post

Be aware if you have any third party add-ons it is much better to disable them before installing any updates as they are known to cause issues.

Saying that third party add-ons (however you're defining them) are known to cause issues with updates (such as?) is too vague to be of much help, IMO. It's much better to disable what, for example?

I can't recall any third party software ever interfering with any OS X updates I've done since 10.1, though I don't use APE/Haxies if those are in the category of add-ons you're talking about.
post #31 of 34
Quote:
Originally Posted by sjk View Post

Saying that third party add-ons (however you're defining them) are known to cause issues with updates (such as?) is too vague to be of much help, IMO. It's much better to disable what, for example?

I can't recall any third party software ever interfering with any OS X updates I've done since 10.1, though I don't use APE/Haxies if those are in the category of add-ons you're talking about.

I can't say anything about OS X, but I've heard of Quicktime plug-ins causing problems for Quicktime updates, but that was only with major updates, QT6 to QT7. I don't remember what plug-in that was. I don't think anything non-Quicktime will cause problems with a Quicktime update.
post #32 of 34
I have a few third party QuickTime components installed in /Library/QuickTime and they don't interfere with this update which only affects these files/folders:
Code:


% lsbom /Library/Receipts/SecUpd2007-001Ti.pkg/Contents/Archive.bom
. 41775 0/80
./System 40755 0/0
./System/Library 40755 0/0
./System/Library/Frameworks 40755 0/0
./System/Library/Frameworks/QuickTime.framework 40755 0/0
./System/Library/Frameworks/QuickTime.framework/Versions 40755 0/0
./System/Library/Frameworks/QuickTime.framework/Versions/A 40755 0/0
./System/Library/Frameworks/QuickTime.framework/Versions/A/QuickTime 100755 0/0 7258956 1092005189
./System/Library/Frameworks/QuickTime.framework/Versions/A/Resources 40755 0/0
./System/Library/Frameworks/QuickTime.framework/Versions/A/Resources/version.plist 100644 0/0 518 2075750745
./System/Library/QuickTime 40755 0/0
./System/Library/QuickTime/QuickTimeStreaming.component 40755 0/0
./System/Library/QuickTime/QuickTimeStreaming.component/Contents 40755 0/0
./System/Library/QuickTime/QuickTimeStreaming.component/Contents/Info.plist 100644 0/0 952 1219408750
./System/Library/QuickTime/QuickTimeStreaming.component/Contents/MacOS 40755 0/0
./System/Library/QuickTime/QuickTimeStreaming.component/Contents/MacOS/QuickTimeStreaming 100755 0/0 3565844 2883492620
./System/Library/QuickTime/QuickTimeStreaming.component/Contents/Resources 40755 0/0
./System/Library/QuickTime/QuickTimeStreaming.component/Contents/Resources/QuickTimeStreaming.rsrc 100644 0/0 51841 541997997
./System/Library/QuickTime/QuickTimeStreaming.component/Contents/version.plist 100644 0/0 518 2075750745


It's wise to ignore any blind blaming of updates for causing unrelated issues (often pre-existing), like ridiculous claims I've seen that this one somehow improves network performance (among other things).

It's hard not to sadly laugh at some of the so-called "serious recommendations" (a.k.a. panic reactions) for fixing post-update problems that make absolutely no sense. Got a nosebleed? Let's amputate!
post #33 of 34
Quote:
Originally Posted by sjk View Post

It's wise to ignore any blind blaming of updates for causing unrelated issues (often pre-existing), like ridiculous claims I've seen that this one somehow improves network performance (among other things).

It's hard not to sadly laugh at some of the so-called "serious recommendations" (a.k.a. panic reactions) for fixing post-update problems that make absolutely no sense. Got a nosebleed? Let's amputate!

No, it wasn't blind blaming. I remember a knowledgeable person stated that one very specific plug-in caused an incompatibility that caused problems with Quicktime when QT was updated to version 7. It wasn't a vague statement, I just don't remember whose plug-in caused the problems. Your amputation analogy is way off base too. Plug-ins are rarely essential and it's easy to archive them to test whether they are the cause of the problems, and unarchive when they are cleared. It should be easy to see that debugging is non-destructive.
post #34 of 34
Quote:
Originally Posted by JeffDM View Post

No, it wasn't blind blaming.

I didn't at all mean to imply you meant that sorry. My comments really weren't directed at anyone specifically. Sometimes it's hard to say much here without it being interpreted as argumentative or confrontative, then having to defend those misunderstandings. Oh well.

Quote:
I remember a knowledgeable person stated that one very specific plug-in caused an incompatibility that caused problems with Quicktime when QT was updated to version 7. It wasn't a vague statement, I just don't remember whose plug-in caused the problems.

I wouldn't doubt that.

I half remember some incompatibility between QuickTime 7 and older versions of Apple's MPEG-2 component. Not everyone is aware of those kinds of dependencies when they do updates; those of us who are usually know how to adequately prepare for them.

Quote:
Your amputation analogy is way off base too. Plug-ins are rarely essential and it's easy to archive them to test whether they are the cause of the problems, and unarchive when they are cleared. It should be easy to see that debugging is non-destructive.

My point with that analogy was simply that certain people without much skill in correlating symptoms with possible solutions sometimes give advice that ends up causing more problems than it cures. Based on your post history I definitely don't think that's something you'd intentionally do.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple patches QuickTime exploit published by MoAB website