LMH’s “Month of Apple Bugs” has begun:
“‘LMH’ has discovered a vulnerability in Apple Quicktime, which can be exploited by malicious people to compromise a user’s system,” Secunia reports.
“The vulnerability is caused due to a boundary error when handling RTSP URLs. This can be exploited to cause a stack-based buffer overflow via a specially crafted QTL file with an overly long (more than 256 bytes) ‘src’ parameter (e.g. ‘rtsp://[any character]:[>256 bytes]’),” Secunia reports. “Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 7.1.3.100 (Windows version) and reportedly affects both Microsoft Windows and Mac OS X versions.”
Secunia reports, “Solution: Do not open untrusted QTL files.”
More info here.
“This issue has been successfully exploited in QuickTime™ Version 7.1.3, Player Version 7.1.3. Previous versions should be vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected,” LMH reports.
Full article here.
Here we go.
Still nothing like MS…
PS Doesn’t this kind of crap come from the new x86 chips.
I still like my G5’s
Don’t get me wrong I own a MacBook. But I still find that multitasking is smother on my G5 Single Chip iMac.
“The vulnerability is confirmed in version 7.1.3.100 (Windows version) and reportedly affects both Microsoft Windows and Mac OS X versions.” (my emphasis)
So it MIGHT be a Windows issue or a QuickTime issue (could be due to how QuickTime interacts with Windows or an issue of QuickTime itself). It MIGHT be cross platform; it might not be.
Great way to nail down the specifics of the issue! NOT!
I just love all these people claiming, “Successful exploitation allows execution of arbitrary code.” Just because you can get the process(or) to look at the data as code, does not mean it can be an exploiting piece of code. There are lots of restrictions in the OS and QT as to what code can and cannot do even when it runs.
It would be much more interesting if the people putting forth this “exploit” were to say that they had been able to run code that actually <b>DID/b> something rather than the old saw about being able to run “arbitrary code”. Until someone has shown — even in a lab environment — that truly malicious code can be run to effect some nefarious action then I call this one a non issue.
Should Apple fix it? YES.
Is it a non issue at this point? YES
hey i thought i was the only one with similar feelings. i’m running a mac pro, used to have a power mac dual. i dunno, OS X and the finder feels better. hard to describe, but everything feels better and more refined on the ppc. same amount of ram too, 3 gigs
This can be exploited to cause a stack-based buffer overflow via a specially crafted QTL file with an overly long (more than 256 bytes) ‘src’ parameter (e.g. ‘rtsp://[any character]:[>256 bytes]’),
And how many normal users have this special QTL file?
Answer 1
Non-issue in my opinion. Which means the bugs still stand at zero.
Next?
we’re gonna have a month of these doomsday headlnes…..ugh!
All this talk about Intel processors leads me to question whether the vulnerability is limited to them. Is QuickTime on PPC computers not affected?
I know QT is QuickTime, but what does the L mean in QTL? I found RTSP at the acronym finder site, but not QTL.
This site has an explanation of how to configure Quicktime to render this exploit useless.
Which means the bugs still stand at zero.
There are thousands of bugs in OSX.
Remember “bug” and “security risk” are two separate things. There are many many bugs in OSX.
By the way, bug.squisher, it’d probably help if you set up the mime settings on that server so that it treats .qtl files as something other than text. Just trying to help
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
stoopid ZDNet
By the way, the “L” in QTL is for List. It’s a QuickTime Media list and is useful for doing different types of things.
Here’s one helpful thing it can do.
http://developer.apple.com/documentation/QuickTime/QT4WebPage/samplechap/special-11.html
By the way, if anyone hasn’t figured it out, bug.squisher’s post was an attempt at being harmful. So, I would suggest you NOT click on links within any comment linked to these types of stories for the month.
Unless you know what you’re doing.
so i link it to another type of story. done.
if the stoopids that put up the file fix their server first
bug.squisher,
At least change it so that it says something like “bug.squisher’s in da houz” to REALLY prove how “mad” your “skillz” are.
From their FAQ
“And the reward (automated responses and euphemism-heavy advisories) doesn’t pay off in the end.”
So what I posted before applies. Because Apple doesn’t kneel and pay homage to their self described “trivial” fixes, they got bent about it.
” width=”19″ height=”19″ alt=”smile” style=”border:0;” /> These are the kids who’s mother did everything for them as children and are upset because good ol’ mom doesn’t have as much pull with Apple as she had with the school board.
See the slashdot thread:
<http://apple.slashdot.org/apple/07/01/02/1336221.shtml>
Five or six Mac users have tried to implement this exploit — all without success unless one considers crashing QT a success.
You’d think that they would start with a good one.
This first bug appears to be hard to make work on Macs. If the remaining bugs are of this calibre, nobody will be listening when they talk about the final one on Jan 31st.
I would have expected them to start with a flourish, get people paying attention, then slip a few marginal ones in the middle and end with a big bang. I’m not sure that this first bug is even a fizzle.
So far, in all the forums/threads I’ve read, not a person has gotten the thing to work. Looks like another yawner.
yah. next time i link to nicer exploit that erases user data. better fun. ha
Here’s a better thread on slashdot, lots more info:
http://apple.slashdot.org/apple/07/01/02/1336234.shtml
I couldn’t get it to work. Maybe it’s Windows only. I tried on three seperate Macs.
If the goal is to prove the Mac is as vulnerable as Windows, I think they are going to need more than 30 days to do it. Seems to me they will need to string together about 114,000 days of bugs, just to get close.
That works out to about 312 years.
Good luck, LMH
Crashing an app IS a success, which is why if it happens during the normal course of using an application, companies usually put that at a higher priority than things that simply “don’t work right”.
MW Magic Phrase:
We’ll see what they have for us in the “morning”.
They cheated a day. They started on the second instead of the first!!
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />