Network News

X My Profile
View More Activity

Apple Patches First 'Month of Apple Bugs' Flaw

Apple Inc. on Tuesday released a software patch to fix an extremely serious security hole in its QuickTime media player program, one that could be exploited to install malicious software on Microsoft Windows or Mac OS X systems just by convincing a user to click on a specially crafted Web link.

Mac users of QuickTime can download the free updates using OS X's Software Update feature, or directly from Apple Downloads.

But what about a patch for Windows users of QuickTime? Apple says: "For Windows 2000 Service Pack 4 / XP: The update is available via the 'Apple Software Update' application, which is installed with the most recent version of QuickTime or iTunes."

I have this updater application installed on one of my Windows machines thanks to a recent re-install of iTunes, but it did not detect a new version of QuickTime when I ran it this morning.

Worse still, Apple doesn't appear to have changed a single thing in the latest QuickTime version for Windows, according to the SANS Internet Storm Center, which is currently advising Windows users to simply uninstall QuickTime altogether. I don't know why Apple can't just include a link to a patched Windows version of QuickTime in their advisories the same way they do for Apple users. Many Windows users probably do not have this software update utility installed, and while an auto-updater is always a welcome step, Apple should not force its largest user base to install another application to install a patch.

Anyway, the security hole Apple plugged was the very first flaw showcased in this month's highly polarizing Month of Apple Bugs project, which promised that for each day in January it would highlight a previously undocumented security hole in OS X or in an application built for the Mac operating system.

Security Fix is long overdue in revisiting this project, which is now more than two-thirds completed. This endeavor has engendered a huge amount of controversy in addition to quite a bit of drama within the security community, mainly because the co-curators of the project -- researcher kevin Finesterre and a hacker identified only by his online nickname "LMH" -- have chosen to not only point out previously unidentified flaws but also to post computer code that could potentially allow anyone with the right skills to use the flaws to conduct their own attack against Mac users.

Very shortly after the project began, a group of Mac programmers led by former Apple employee Landon Fuller launched a corresponding "Month of Apple Fixes," daily third-party update effort designed to create stopgap "patches" to plug security holes identified by the Month of Apple Bugs researchers.

According to vulnerability watcher Secunia, it appears that 16 of the MoAB-identified flaws are exploitable remotely, and another eight identified vulnerabilities could let local or remote attackers gain more control over the computer in order to make system-wide changes. Still, a fair percentage of the flaws reside in applications that, while written for the OS X platform, are not installed on most Macs by default. That said, at least ten of the flaws revealed so far were classified as "highly critical" or "moderately critical" by Secunia. It's also worth noting that some of the most serious vulnerabilities outlined so far affect "cross-platform" applications like QuickTime that are far more prevalent on Microsoft Windows machines than on Mac computers.

Much digital ink has already been spilled on whether this experiment is beneficial or detrimental to Mac users. The majority of people I've seen quoted in stories thus far have chastised the project captains as irresponsible grand-standers who are uninterested in improving the security of the average Mac user. So I asked a couple of trusted sources about their opinions on this project, and received differing but equally defensible positions on the outcome so far.

Gartner analyst Rich Mogull, who until recently covered many of the ins-and-outs of this Month of Apple Bugs project on his blog, says he has viewed the experiment with a jaundiced eye from the start.

"If the goal was to raise awareness about Mac security generally, the kinds of things we've been seeing [from the project] so far don't quite do that," Mogull said. He said the way they've gone about baiting the Mac developer community "leaves too much room for the zealots to attack their project. The fact that these guys are dropping [exploit code] along with their advisories means that most security experts cannot support the project."

As for the third-party patches created by Apple supporters, Mogull said they're a nice touch but advised Mac users to steer clear and wait for an official update from Apple.

"For the average user, I don't generally recommend doing unsupported patches, and if you're [a business] I'd pretty much never recommend it," Mogull said.

I received a somewhat more hopeful perspective on the MoAB project from Jay Beale, co-founder of Washington, D.C-based security consultancy Intelguardians and leader of the Bastille Project, an innovative approach to further improving the security of Mac OS X machines.

Beale suggested that all of the free bug vetting Apple is receiving through the Month of Apple Bugs "is going to be wonderful" for the state Apple security going forward.

"On the surface, this project may seem really bad, but if I [were] talking to an OS X user, I'd say I know this is somewhat scary...but in the end Apple is going to be a whole lot harder to break into. Yes, what they're doing is making it so that more people have the knowledge and capability to exploit flaws in OS X, but on the other hand they're not creating the flaws. The vulnerabilities are already there. Just because this guy releases a vulnerability to the world doesn't mean it wasn't already in use. Lots of other people might have already found it and shared with only five people in the hacker underground and so we have no way of knowing our systems are being exploited."

Beale said he is hopeful that the project will nudge Apple even further toward being more publicly engaging on OS X security.

"The reason this is good is that it really raises OS X security awareness a great deal," he said. "I hope it will motivate Apple to get a consistent direction and message and hopefully a leader on security. Apple has great security people, but they need someone in the organization who speaks for security, evangelizes and publicly takes the lead on the subject."

MoAB's LMH said the project will likely continue into February, when he plans to sporadically release documentation on other bugs that won't fit into this month's batch. When asked for a response to this week's QuickTime security advisory from Apple -- which references but does not explicitly credit the MoAB project -- LMH said he hadn't expected any champagne and caviar from Apple HQ, but that he doesn't share Beale's view that any of this will change Apple's public approach to security. "They continue to be the same dysfunctional company when it comes to security issues. And they just confirmed it again. So, I think I achieved one of my personal goals."

By Brian Krebs  |  January 24, 2007; 12:37 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Broken Windows: Clean-up or Rebuild?
Next: Time to Reboot the Internet Again

Comments

Here's one OS X user who is pretty cool with the MOAB project. In general I'm in favor of freedom of information. If there are problems, ***I want to know***.

For example, I've followed MOAB's advice to install RCDefault Apps and use it to disable some URL handlers till the fixes come. On balance I'm happier knowing what I'd best do and best avoid than not.

But I'm not using the patches from the other group - MOAB Fixes. I'm taking the minimum action necessary. I'm not installing something that might give me grief itself.

But I wish Apple had taken a bit more care. MOAB has shown that they've been walking around with their pants around their ankles hoping no one would notice.

Posted by: Michael | January 24, 2007 1:33 PM | Report abuse

While MOAB could be a great opportunity for Windoze users to gloat, we know better. I sold my soul the Devil From Redmond ten years, in order to have unhampered access to work apps at home. Most days I love it, others I want to give Bill Gates a pie in the face... now, there's an image for you and a great challenge!

Posted by: rupyoda | January 24, 2007 1:45 PM | Report abuse

And what about those of us who have no use for iTunes and only want the Quicktime standalone? Apparently that hasn't been updated, or if it has, the link is well hidden. And even worse, the link from Secunia's Software Inspector leads to a download that yields the same version that is already on the computer. Bah!

Posted by: Gin | January 24, 2007 1:45 PM | Report abuse

As the original author of many of the patches, I agree with Rich Mogull's stance.

Moreover, I would not personally endorse installing third party patches to anyone that did not either feel comfortable evaluating the code for efficacy and correctness, or knew someone they could trust to do the same.

That said, as the head of IT at our company, I've ensured that all of our computers are patched, ... but I also wrote or code reviewed all of the patches.

Ultimately, it's never unreasonable to wait for an officially provided vendor fix. The decision to use a third party patch should be made after a careful assessment of the vulnerability's risks and your own requirements.

Posted by: landonf | January 24, 2007 1:46 PM | Report abuse

So, Apple's security notice "references but does not explicitly credit the MoAB project." That's accurate, and I don't believe that any "credit" should be given.

From the Apple security notice: "Description: A buffer overflow exists in QuickTime's handling of RTSP URLs. By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution. A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007). This update addresses the issue by performing additional validation of RTSP URLs."

These guys published exploit code with no advance warning to Apple, putting users at risk to achieve one of their "personal goals."

It is appropriate of Apple to note where the vulnerability was made known. "Credit" should be reserved for those who follow responsible disclosure procedures and give the vendor an opportunity to fix problems first.

Posted by: Thor | January 24, 2007 4:06 PM | Report abuse

Are you going to mention the evidence that the MoAB "researchers" apparently stepped over the line and actually "tested" one of their exploits on real IRC users on #macdev on freenode? If not, why not?

http://arstechnica.com/journals/apple.ars/2007/1/21/6699

Are you going to mention that the "researchers" apparently lump all developers of Apple OS X software in with Apple as "not responsive" to security issues when they didn't inform the VLC, Colloquy or Omniweb developers in advance of releasing exploit code? If not, why not?

http://arstechnica.com/journals/apple.ars/2007/1/10/6574

I wonder why Brian Krebs has no interest in investigating the MoAB researchers? Isn't evidence of Black Hat activities by MoAB worth some time? Even if it isn't true or the proof is lacking, it seems like a follow up with your buddies is in order, don't you think Brian?

Posted by: James Bailey | January 24, 2007 7:12 PM | Report abuse

Dear Brian,

Thank you very much for the service that you are giving. I have notified Apple for three years about this bug, and also posted about it in MacFixit (a popular site for Mac users), but Apple kept ignoring the bug. Your approach, namely full disclosure with forewarning, forced Apple to take notice and fix the bug, at last. So, I understand the concern of those who are against full disclosure, but they should appreciate the fact that millions of users had that security bug for years, that Apple ignored it, and that the only way to fix it was to publish it in a way that Apple could not possibly ignore it. Thank you MOAB. Keep up with the good work.

Posted by: Bob Hunter | January 25, 2007 3:43 AM | Report abuse

Windows user here. I really love how, when the Apple Software Update application runs, it tells me that "iTunes + QuickTime" (listed together on a single line, so that you cannot select just one of them) are ready to be downloaded and installed.

That's nice, except I don't have iTunes installed on my machine in the first place. This doesn't seem to be an "updater" as much as it does a marketing gimmick to promote iTunes downloads. And really, that's a pretty disgraceful way to handle security updates for QuickTime.

Posted by: tokyo_joe | January 26, 2007 12:31 AM | Report abuse

While this favour of pointing out holes in Apple's embraced (some say stolen) Unix based OS will make it slightly stronger, the Windows based is on its way to become the only OS both business and home users will be able to rely on in terms of stabilty, looks, functionality, extreme multitasking, compatibility, versatility, ease of use and open platform. Apple lovers should wake up from this ordeal they feel they constantly have to avoid being hip and join the Microsoft crowd, here with us is fun and glory. No matter how fast you manage to hide the hand once you've thrown the stone, we already know Apple PCs are unreliable, hang and crash at all times, unsafe in internetworking environments, lacking the service level Wintel PC manufacturers offer, expensive to repair and not very appealing in terms of looks as the cheap plastic is there to hides a high rate of failures

Posted by: thematrixexpert@yahoo.com | February 1, 2007 5:15 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company