“Hackers now have sample attack code for the newest QuickTime vulnerability that can hijack Macs, including machines running the latest flavor of Mac OS X, Leopard, security researchers warned today,” Gregg Keizer reports for Computerworld.
“The news came just days after a bug in QuickTime’s handling of the Real Time Streaming Protocol (RTSP), a audio/video-streaming standard, was disclosed on the milw0rm.com Web site. Proof-of-concept exploit code that worked against Windows XP SP2 and Windows Vista followed shortly after,” Keizer reports. “But even though analysts confirmed on Monday that Mac OS X versions of QuickTime 7.2 and later are also vulnerable, it took several more days for other researchers to craft a reliable exploit.”
“According to the proof-of-concept, the Metasploit module works on Intel- and PowerPC-based Macs running either Mac OS X 10.4 (Tiger) or 10.5 (Leopard). It also executes on PCs running Windows XP SP2,” Keizer reports.
“Symantec urged users to disable Apple QuickTime as an RTSP protocol handler and filter outbound traffic over the most common (but not the only available) posts used by RTSP, which include TCP port 554 and UDP ports 6970-6999,” Keizer reports. “Apple has not yet issued a fix for QuickTime RTSP bug, but when it does, the update will be the media player’s seventh security-related fix this year.”
Links and more details in the full article here.
1: Open Quicktime Preferences
2: click Advanced then MIME settings
3: uncheck Streaming or RTSP
4: Install Little Snitch and delete all the default rules and carefully white list outgoing connections. It’s a little trouble at first, but sure does catch all sorts of nasties before it can open a port on you. Especially when visting websites.
5: If you already haven’t, create a new admin, log in it and change your first admin to user and use that all the time. Use a new blank user to surf for porn/p2p so they can’t delete your files.
6: Clone your boot drive in whole to another drive using Carbon Copy Cloner, it’s donationware. Keep it disconnected and updated occassionally. You can option boot from it.
Well, they claim the exploit to be able to execute code, but is it ‘sandboxed’ code, i.e., user-level, or is it admin level. Knowing that difference is critical to knowing whether this is more smoke or a serious issue. So, does anyone know?
Go Pete Go…
Thanks Pete!
It seems to me that anything that runs without me knowing that it is going to run is bad. So, root level, user level, it doesn’t matter. Quicktime should be better behaved than this.
I just went to a TELCEL seller in Mexico, and they have the iPhone on sale, But I do not see any ad from apple or telcel saying that they have in Mexico. I asked to see it and they show it to me. They say it has apple warranty. Also, they said that it is not “unblock”, it is block to telcel carrier legally.
The only problem is that is cost about $980.00 Dlls ($10,000.00 mexican pesos).
Could it be possible that the iphone does arrive to Mexico and no body make announcements of any kind?
iPhone Guy:
I doubt it big time, but what the heck dose the iPhone in Mexico have to do with a QuickTime Exploit?
With no “Mexican” iTunes, how do you patch the thing?, how do you activate it?. I have friends in Mexico that are using iPhones, but not unlocked ones.
This could be a bad thing, But it depends on what type of stuff you are using quicktime for, If your looking up porn of cause you leave your self to the posability of Nastys.
but you are correct Quicktime should be better behaved then this, atleast on the mac platform because after all it is OSX the most secure operating system in the world.
Anyone else seeing Russian when you go to Google.com?
I haven’t been able to get Google news up for a few hours now either.
Is it just me?!?! O rare the Russians coming?
This was on the BBC earlier – connected?:
http://news.bbc.co.uk/1/hi/technology/7118452.stm
no Russian here Macaday… google news comes up fine.
Thanks Jim!
That was scary… I emptied Safari cache and then all cookies and I’m back to normal. What the hell – I thought I’d gone into a 007 film..!
I suppose this puts an end to the debate over the issue I have been offering in this forum.
It is this: Apple has quit doing their best and are now doing only what is needed to be better than history’s worst ever OS, that being the infamous XP or Vista.
So what do we Mac users get: invasion from the virus sphere, malware, and Windows-like headaches.
When is MDN and the rest of those of you who remain in denial going to start demanding that we get all Cupertino is capable of delivering?
You know, like we used to get from them.
@Realist: Apple is “now doing only what is needed to be better than history’s worst ever OS….”
Wow. Talk about spin! One exploit and now Apple is just a touch better than history’s worst OS. And it’s enough to “put an end to the debate” too! Not to mention there is no “virus” … malware is unpreventable (unless you want to disable all freeware, shareware, etc.)
Apple needs to fix this, of course. But let’s not panic!
I think Realist’s reality check bounced.
Pete thanks for the info.
However, running Little Snitch feels like I’m running Windows… The Attack of the Endless Dialogue Boxes! Thanks, but no thanks.
So if my dumbass clicks on an infected link on windows I am screwed.. and on a mac I have to reopen quicktime.. .that sounds about right..
pete
u da man
thanks for the tip
@iPhone guy
You were at a “re-seller” not an official TelCel store
and he is hosing you at $980.00, get you an iPhone , and will cost you $60-70 to unlock in 10 minutes.
We just got an Apple store last week, and until we have an iTunes store, no iPhone
Not Microsoftttttttttt! They just announced the iPod and iPhone to be able to read Office Docs………………………
http://www.ibtimes.com/articles/20071129/apple-iphone-ipod-office-powerpoint.htm
I use Lotus! No msft material near my mac.
This is FUD. there are no exploitable weaknesses in Mac OS X.
“is it ‘sandboxed’ code, i.e., user-level, or is it admin level. Knowing that difference is critical to knowing whether this is more smoke or a serious issue”
You’re right. A user level exploit can only delete all your data files and provide all your private information to the hacker, mail itself to all the people in your address book and allow your Mac to become a zombie
In contrast, an admin level exploit might be able to do some real damage.
@ HotinPlaya
“…until we have an iTunes store, no iPhone.”
Just curious though…China doesn’t have an iTunes store either but why are they talking about iPhone negotiations over there. In fact, i believe most of Asia does not have an iTunes store.
Does that mean all these “non-ITMS” countries won’t be getting iPhones anytime soon? Anyone?
With Mac OS X, it’s always “proof-of-concept” malware. As usual, there is no “proof-of-actual-harm.” And I seriously doubt this can be exploited to “hijack Macs.”
Where is the famous “MDN Take” that appears on every news item that is not favorably biased towards Apple??? Hard to defend the truth isn’t it? The truth is to-date Mac OS has been relatively hacker-free not because it is more robust but because hackers have not devoted the same level of time and efforts into writing hacks due to the paltry global share of market Apple has. As Apple’s global SOM continues to grow at the current phenomenal rate of less than 0.5% per year so will the hacks and required patches. Welcome to reality Appleheads! You are now becoming victims of your own success! Enjoy!!!!!
However, running Little Snitch feels like I’m running Windows… The Attack of the Endless Dialogue Boxes!
If your getting endless dialogue boxes it means you haven’t read the Little Snitch instructions to allow certain connections permanently.
Your computer has a lot of ports or doorways in/out of your machine, something like 65,535 ports. Lots of avenues for malware, spyware, marketingware to travel without your knowledge.
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Most commonly used programs like web browsers use a certain common port like TCP 80, (anything outside of this should raise some attention). So you allow Safari to make permanent outgoing connections on this port, to “any server” because one is always connecting to different sites when browsing.
Certain processes in Mac OS X always make outgoing connections, to the IANN, to Apple Time server, to your local network etc. Obviously you evaluate that these connections are ok and allow them permanently so you don’t get the problem your having that LS keeps asking you for permission.
After some training the Little Snitch dialog box rarely appears, and when it does, you’ll be glad it did. Especially if you just gave your password to what you thought was a good program.