Apple patches QuickTime exploit published by MoAB website
Apple on Tuesday released a security update for its QuickTime digital media software in response to a vulnerability discovered by security researchers associated with the Month of Apple Bugs website.
The Cupertino-based company said Security Update 2007-001 -- its first security update of the 2007 calendar year -- plugs an exploit where QuickTime users visiting maliciously crafted websites could fall victim to arbitrary code execution.
"A buffer overflow exists in QuickTime's handling of RTSP URLs. By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution," the company said. "A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007)."
Apple added that its fix for the issue includes performing additional validation of RTSP URLs.
The security update is available for QuickTime 7.1.3 on Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8, and Windows XP/2000.
The Month of Apple Bugs initiative is an effort by security analysts to improve Apple's Mac OS X operating system, uncovering and finding security flaws in different versions of the company's software and third-party applications.
Apple's security update released Tuesday targets the first of those reported flaws. The Month of Apple Bugs website has since gone on to list 21 additional vulnerabilities in Mac OS X related software, one for each day of the month.
The Cupertino-based company said Security Update 2007-001 -- its first security update of the 2007 calendar year -- plugs an exploit where QuickTime users visiting maliciously crafted websites could fall victim to arbitrary code execution.
"A buffer overflow exists in QuickTime's handling of RTSP URLs. By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution," the company said. "A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007)."
Apple added that its fix for the issue includes performing additional validation of RTSP URLs.
The security update is available for QuickTime 7.1.3 on Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8, and Windows XP/2000.
The Month of Apple Bugs initiative is an effort by security analysts to improve Apple's Mac OS X operating system, uncovering and finding security flaws in different versions of the company's software and third-party applications.
Apple's security update released Tuesday targets the first of those reported flaws. The Month of Apple Bugs website has since gone on to list 21 additional vulnerabilities in Mac OS X related software, one for each day of the month.
Comments
Though fixing anything with even minimal security exploits is important, I can't help but laugh at what has been uncovered during this month so far. I also praise Apple for patching it within a few weeks. It takes time to figure out how to patch exploits and still maintain stability / compatibility.
This pretty much busts MOAB's claims of Apple's ignorance and/or hostility at bug reports.
Apple has been doing better than most, fixing 99.9% of their problems through their established channels without MOAB's brand of nonsense. IIRC a third of their "Apple Bugs" are 3rd party problems to begin with.
MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.
MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.
I agree. I personally think this was for attention over anything. They were / are publicly announcing the bugs without submitting to apple first. They made large statements about releasing a bug a day. They have insulted the user base. I'm over the MOAB at this point. They have released 2-3 that I know of and all have been 3rd party so far. Completely a waste of time if you ask me.
I agree. I personally think this was for attention over anything. They were / are publicly announcing the bugs without submitting to apple first. They made large statements about releasing a bug a day. They have insulted the user base. I'm over the MOAB at this point. They have released 2-3 that I know of and all have been 3rd party so far. Completely a waste of time if you ask me.
Well, you are severely misstating the facts. Have a look at the MOAB page: http://projects.info-pull.com/moab/
Definitely not all 3rd party exploits and definitely more than 2 or 3 exploits.
Please don't interpret my comment as support for what MOAB is doing. I think it is reprehensible.
Well, you are severely misstating the facts. Have a look at the MOAB page: http://projects.info-pull.com/moab/
Definitely not all 3rd party exploits and definitely more than 2 or 3 exploits.
Please don't interpret my comment as support for what MOAB is doing. I think it is reprehensible.
I guess I should have been more clear. I have HEARD about 2-3 bugs this whole month. I frequent macnn, macdailynews, arstechnica, thinksecret, ai, macrumors, macworld... and i"ve only read about a few. If these other ones are so serious why haven't they been reported on?
Either way, sorry for the confusion. I still feel that these guys are stepping over the line.
I guess I should have been more clear. I have HEARD about 2-3 bugs this whole month. I frequent macnn, macdailynews, arstechnica, thinksecret, ai, macrumors, macworld... and i"ve only read about a few. If these other ones are so serious why haven't they been reported on?
I wouldn't judge the severity based on what fan websites say or what they ignore. I'd go with something a little more independent.
Some of the stuff is a concern, privilege escalation and remote exploit.
Apple has been doing better than most, fixing 99.9% of their problems through their established channels without MOAB's brand of nonsense.
One would like to think so, but I've heard about several problems that were ignored for several months, so I think your number is too high. I really don't remember the specifics though. In one case, servers were switched to PPC Linux because of long standing issues interoperating with Windows servers.
MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.
It is a piss fight isn't it? I wonder how much of it Apple fans are taking personally? How much of it is a retaliation against excessive smugness on the part of Apple fans? Apple fans don't always understand how irritating they can sound at times.
No one ever said that the better design of OS X somehow prevented buffer overflows. That is inherent in any C code. And no one ever said that Mac OS X could not be victimized by a Trojan - any OS can. If the user agrees to execute your sudo rm -rf / shell script and type in their password, no OS is going to stop them.
However, I have looked at the examples these guys give, and I do not see any privilege escalation or demonstration of root. Kernel panic does not necessarily mean that you yourself were in the kernel.
It is a piss fight isn't it? I wonder how much of it Apple fans are taking personally? How much of it is a retaliation against excessive smugness on the part of Apple fans? Apple fans don't always understand how irritating they can sound at times.
It goes both ways for the most part though.
Yah it's not wise to judge the severity based off of mac sites. BUT why hasn't anyone really been talking about it? Are all these just proof of concepts?
Luckily, beyond being reprehensible, they're also getting minimal coverage. Only Macintouch reports on their daily announcements.
No, I've seen it in many places, as well as being mentioned in the NYTimes.
I'm sure the MOAB 'analysts' will make more press now though that Apple have fixed one of their exploits. It'll be something along the lines of them crowing that they've forced Apple to fix something quicker than normal, that Apple hasn't fixed the other 21 exploits (even though most aren't theirs or even important) and that 'smug' Mac users remain exploitable because Apple still has an insecure OS. Cue George Ou and Brian Krebs having an orgasm over this followed by Paul Thurrot and Rob Enderle wiping their chins.
I'd not have called Ars Technica a fan site exactly although the JoeyGracias of the world might disagree. They've been covering this quite responsibly with a weekly roundup of the MOAB bugs and a long discussion thread in their forum.
I'm sure the MOAB 'analysts' will make more press now though that Apple have fixed one of their exploits. It'll be something along the lines of them crowing that they've forced Apple to fix something quicker than normal, that Apple hasn't fixed the other 21 exploits (even though most aren't theirs or even important) and that 'smug' Mac users remain exploitable because Apple still has an insecure OS. Cue George Ou and Brian Krebs having an orgasm over this followed by Paul Thurrot and Rob Enderle wiping their chins.
So, you know Joey, do you?
There were a few even worse than him there. But, two of them got banned, and the other two simply left.
There is a big article about this "project" in the WSJ today.
So, you know Joey, do you?
How can I not!
You have to wonder about people like that, that pop up in every thread about a computer platform they seem to so vehemently hate. What is that guys problem?
My other favourite troll is anthonyr who will jump in with how superior the Linux kernel is at any opportunity. He mostly knows his stuff but you know, who the f*ck cares?
Most of the time though Ars is one of the more informed sites and more balanced than the Mac sites or Anandtech/Toms on the PC side who seem to have serious editorial problems letting slip through articles that are flawed or biased.
the Security Update 2007-001 deleted all of my Safari bookmarks
on my MacBook Pro 10.4.8
someone at an Apple discussion page said it also: "completely blocked my aMule filesharing application"
use this security update with caution
anyone else having problems?
How can I not!
You have to wonder about people like that, that pop up in every thread about a computer platform they seem to so vehemently hate. What is that guys problem?
My other favourite troll is anthonyr who will jump in with how superior the Linux kernel is at any opportunity. He mostly knows his stuff but you know, who the f*ck cares?
Most of the time though Ars is one of the more informed sites and more balanced than the Mac sites or Anandtech/Toms on the PC side who seem to have serious editorial problems letting slip through articles that are flawed or biased.
I've had run-ins with both, but anthonyr is more reasonable, and his arguments are more nuanced.
Ever since Anand went out and bought a Mac, coverage there has gotten very interesting. He actually seems to prefer it, and uses it most of the time.
Since that first happened, anti-Mac commentary from the peanut gallery has dropped considerably. Loyalty to him is greater than the hatred of the Mac, it seems.
I've had run-ins with both, but anthonyr is more reasonable, and his arguments are more nuanced.
Ever since Anand went out and bought a Mac, coverage there has gotten very interesting. He actually seems to prefer it, and uses it most of the time.
Since that first happened, anti-Mac commentary from the peanut gallery has dropped considerably. Loyalty to him is greater than the hatred of the Mac, it seems.
I've only been reading anandtech consistently for about 2 years now. Over all I have enjoyed and respected all of the articles off of that site. I really haven't seen any bias based reviews either..... though I have been lifting an eyebrow at the clovertown vs opteron review. We'll have to wait and see though. For the most part I think you're right that the pc followers of Anand are far great enough to be open minded towards a mac.
I've only been reading anandtech consistently for about 2 years now. Over all I have enjoyed and respected all of the articles off of that site. I really haven't seen any bias based reviews either..... though I have been lifting an eyebrow at the clovertown vs opteron review. We'll have to wait and see though. For the most part I think you're right that the pc followers of Anand are far great enough to be open minded towards a mac.
In particular I thought the couple of articles they wrote about how bad Mac OSX was at running Mysql was flawed as it didn't actually delve into why MySQL runs more slowly and instead accused OSX's kernel design as the reason. They didn't look at the filesystem or assumptions MySQL was making. They just quoted benchmarks from a linux benchmark running on OSX. No analysis. If you're going to release something with fairly controversial findings then it would seem prudent to work out why if you're a tech site.
Of course, those articles then got quoted ad nauseum by the 'peanut gallery' as melgross so aptly put it. I think also that some of the peanut throwers have less ammo now that Apple is on Intel now. Before when they were on PPC, they could ignorantly claim superiority, even if it wasn't true. Now the hardware playing field is the same they can only argue about software and much fewer of them understand software.