Apple Patches First 'Month of Apple Bugs' Flaw
Apple Inc. on Tuesday released a software patch to fix an extremely serious security hole in its QuickTime media player program, one that could be exploited to install malicious software on Microsoft Windows or Mac OS X systems just by convincing a user to click on a specially crafted Web link.
But what about a patch for Windows users of QuickTime? Apple says: "For Windows 2000 Service Pack 4 / XP: The update is available via the 'Apple Software Update' application, which is installed with the most recent version of QuickTime or iTunes."
I have this updater application installed on one of my Windows machines thanks to a recent re-install of iTunes, but it did not detect a new version of QuickTime when I ran it this morning.
Worse still, Apple doesn't appear to have changed a single thing in the latest QuickTime version for Windows, according to the SANS Internet Storm Center, which is currently advising Windows users to simply uninstall QuickTime altogether. I don't know why Apple can't just include a link to a patched Windows version of QuickTime in their advisories the same way they do for Apple users. Many Windows users probably do not have this software update utility installed, and while an auto-updater is always a welcome step, Apple should not force its largest user base to install another application to install a patch.
Anyway, the security hole Apple plugged was the very first flaw showcased in this month's highly polarizing Month of Apple Bugs project, which promised that for each day in January it would highlight a previously undocumented security hole in OS X or in an application built for the Mac operating system.
Security Fix is long overdue in revisiting this project, which is now more than two-thirds completed. This endeavor has engendered a huge amount of controversy in addition to quite a bit of drama within the security community, mainly because the co-curators of the project -- researcher kevin Finesterre and a hacker identified only by his online nickname "LMH" -- have chosen to not only point out previously unidentified flaws but also to post computer code that could potentially allow anyone with the right skills to use the flaws to conduct their own attack against Mac users.
Very shortly after the project began, a group of Mac programmers led by former Apple employee Landon Fuller launched a corresponding "Month of Apple Fixes," daily third-party update effort designed to create stopgap "patches" to plug security holes identified by the Month of Apple Bugs researchers.
According to vulnerability watcher Secunia, it appears that 16 of the MoAB-identified flaws are exploitable remotely, and another eight identified vulnerabilities could let local or remote attackers gain more control over the computer in order to make system-wide changes. Still, a fair percentage of the flaws reside in applications that, while written for the OS X platform, are not installed on most Macs by default. That said, at least ten of the flaws revealed so far were classified as "highly critical" or "moderately critical" by Secunia. It's also worth noting that some of the most serious vulnerabilities outlined so far affect "cross-platform" applications like QuickTime that are far more prevalent on Microsoft Windows machines than on Mac computers.
Much digital ink has already been spilled on whether this experiment is beneficial or detrimental to Mac users. The majority of people I've seen quoted in stories thus far have chastised the project captains as irresponsible grand-standers who are uninterested in improving the security of the average Mac user. So I asked a couple of trusted sources about their opinions on this project, and received differing but equally defensible positions on the outcome so far.
Gartner analyst Rich Mogull, who until recently covered many of the ins-and-outs of this Month of Apple Bugs project on his blog, says he has viewed the experiment with a jaundiced eye from the start.
"If the goal was to raise awareness about Mac security generally, the kinds of things we've been seeing [from the project] so far don't quite do that," Mogull said. He said the way they've gone about baiting the Mac developer community "leaves too much room for the zealots to attack their project. The fact that these guys are dropping [exploit code] along with their advisories means that most security experts cannot support the project."
As for the third-party patches created by Apple supporters, Mogull said they're a nice touch but advised Mac users to steer clear and wait for an official update from Apple.
"For the average user, I don't generally recommend doing unsupported patches, and if you're [a business] I'd pretty much never recommend it," Mogull said.
I received a somewhat more hopeful perspective on the MoAB project from Jay Beale, co-founder of Washington, D.C-based security consultancy Intelguardians and leader of the Bastille Project, an innovative approach to further improving the security of Mac OS X machines.
Beale suggested that all of the free bug vetting Apple is receiving through the Month of Apple Bugs "is going to be wonderful" for the state Apple security going forward.
"On the surface, this project may seem really bad, but if I [were] talking to an OS X user, I'd say I know this is somewhat scary...but in the end Apple is going to be a whole lot harder to break into. Yes, what they're doing is making it so that more people have the knowledge and capability to exploit flaws in OS X, but on the other hand they're not creating the flaws. The vulnerabilities are already there. Just because this guy releases a vulnerability to the world doesn't mean it wasn't already in use. Lots of other people might have already found it and shared with only five people in the hacker underground and so we have no way of knowing our systems are being exploited."
Beale said he is hopeful that the project will nudge Apple even further toward being more publicly engaging on OS X security.
"The reason this is good is that it really raises OS X security awareness a great deal," he said. "I hope it will motivate Apple to get a consistent direction and message and hopefully a leader on security. Apple has great security people, but they need someone in the organization who speaks for security, evangelizes and publicly takes the lead on the subject."
MoAB's LMH said the project will likely continue into February, when he plans to sporadically release documentation on other bugs that won't fit into this month's batch. When asked for a response to this week's QuickTime security advisory from Apple -- which references but does not explicitly credit the MoAB project -- LMH said he hadn't expected any champagne and caviar from Apple HQ, but that he doesn't share Beale's view that any of this will change Apple's public approach to security. "They continue to be the same dysfunctional company when it comes to security issues. And they just confirmed it again. So, I think I achieved one of my personal goals."
Posted by: Michael | January 24, 2007 1:33 PM | Report abuse
Posted by: rupyoda | January 24, 2007 1:45 PM | Report abuse
Posted by: Gin | January 24, 2007 1:45 PM | Report abuse
Posted by: landonf | January 24, 2007 1:46 PM | Report abuse
Posted by: Thor | January 24, 2007 4:06 PM | Report abuse
Posted by: James Bailey | January 24, 2007 7:12 PM | Report abuse
Posted by: Bob Hunter | January 25, 2007 3:43 AM | Report abuse
Posted by: tokyo_joe | January 26, 2007 12:31 AM | Report abuse
Posted by: firstname.lastname@example.org | February 1, 2007 5:15 PM | Report abuse
The comments to this entry are closed.