Apple Hardens Quicktime Security

[MacRumors]

With Quicktime increasingly becoming a target for malicious hackers, eWeek reports that Apple has made several steps to make Quicktime more secure in the latest version (7.4.5) released just last week.

Besides patching 11 security vulnerabilities, the new version of Quicktime adds a few new features such as ASLR (address space layout randomization), stack buffer safety checking and function call hardening, all of which make it much more difficult to hack Quicktime.

Security researchers have applauded the efforts:

Quote:

"That's a pretty big change for a point release," said Dino Dai Zovi, a hacker who has written multiple exploits for QuickTime. "They [Apple] have way more guts than many other software companies to do something like that. Either that, or they are afraid of the backlash if malware starts targeting QuickTime and iTunes in a more serious way."

Article Link

[axcess99]

Quote:

Originally Posted by eastcoastsurfer

Pretty simple. When you load a web page, java script on that page can only send requests back to the server you loaded the original page from. This stops you from going to a site which seems legit that then has js sending data to another site which isn't legit.

That is how javascript pages are supposed to work. IE, FF, Safari, all do that in addition to other steps. That is not XSS. Please see http://en.wikipedia.org/wiki/Same_origin_policy and http://en.wikipedia.org/wiki/Cross-site_scripting respectively.

[eastcoastsurfer]

Quote:

Originally Posted by axcess99

That is how javascript pages are supposed to work. IE, FF, Safari, all do that in addition to other steps. That is not XSS. Please see http://en.wikipedia.org/wiki/Same_origin_policy and http://en.wikipedia.org/wiki/Cross-site_scripting respectively.

If you look at the Cross-site_scripting link you sent, the Persistent Exploit scenario they describe exactly what I described. Someone putting js on a page that interacts with another web server that the page did not originate from. But you're right, XSS means a lot more than just that type of exploit now...

[MrFrankly]

Quote:

Originally Posted by eastcoastsurfer

If you look at the Cross-site_scripting link you sent, the Persistent Exploit scenario they describe exactly what I described. Someone putting js on a page that interacts with another web server that the page did not originate from. But you're right, XSS means a lot more than just that type of exploit now...

The cross-site scripting part of that scenario is just part 3 where she posts the message. The fact that it's sending something to a different server is not necessarily part of cross-site scripting. It's just a way to make it useful.

[PlaceofDis]

security is an on-going process, and i'm glad that Apple are trying to be pro-active about it rather than reactionary, for the most part.

[clevin]

Quote:

Originally Posted by eastcoastsurfer

If you look at the Cross-site_scripting link you sent, the Persistent Exploit scenario they describe exactly what I described. Someone putting js on a page that interacts with another web server that the page did not originate from. But you're right, XSS means a lot more than just that type of exploit now...

thats part of the reason why an anti-phishing, anti-malicious websites mechanism is so important in modern browsers. Too bad safari still doesn't offer this.

Anyway, there is always noscripts for firefox..

PS. my impression is that XSS isn't all bad, somebody clarify this?
PS2. I noticed two updates (iTunes 7.6.2and QT 7.4.5) again are ~90MB in size.. will apple ever be able to make some partial update packages and save me some download time? or people with slow internet speed don't deserve same level of security?

[Eraserhead]

Quote:

Originally Posted by clevin

thats part of the reason why an anti-phishing, anti-malicious websites mechanism is so important in modern browsers. Too bad safari still doesn't offer this.

Anti-phishing is OK, stopping cross-site scripting is good (any attacks are more subtle), and both is even better from a security POV.

Quote:

Originally Posted by clevin

PS. my impression is that XSS isn't all bad, somebody clarify this?

Well its not, the website I noticed this on was using it legitimately. However they could have done it another way and to be honest it doesn't really have too many legitimate uses.

[jellomizer]

Quote:

Originally Posted by Eraserhead

Anti-phishing is OK, stopping cross-site scripting is good (any attacks are more subtle), and both is even better from a security POV.

Phishing is actually a big problem. I would say worse then cross site scripting. Cross site scripting usually happened when you are one questionable websites, kinda of a I know I shouldn't be there type of actions.

But Phishing is actually more subtile. Let say i go to XYZBank.com but I typed in XYZBenk.com or XYZ-Bank.com... Something I wouldn't quickly catch. And the site looks just like my bank. I enter my password and username. It give an error that that back site is under maintentance.... But by that time I am already dead.

[Angsty]

Quote:

Originally Posted by clevin

PS2. I noticed two updates (iTunes 7.6.2and QT 7.4.5) again are ~90MB in size.. will apple ever be able to make some partial update packages and save me some download time? or people with slow internet speed don't deserve same level of security?

LOL - or for those of us who have a download quota on their broadband plan and need to be frugal about what they download..... or suffer getting 'shaped" back to 64kb till the next bill cycle date!!

[simX]

Quote:

Originally Posted by Angsty

LOL - or for those of us who have a download quota on their broadband plan and need to be frugal about what they download..... or suffer getting 'shaped" back to 64kb till the next bill cycle date!!

The current packages offered via Software Update are *already* "delta" packages which change only what needs to be changed.

If you have a slow internet connection or a bandwidth quota, just go to your nearest Apple retail store and ask them to burn a CD of updates for you.

[MrFrankly]

Quote:

Originally Posted by eastcoastsurfer

Pretty simple. When you load a web page, java script on that page can only send requests back to the server you loaded the original page from. This stops you from going to a site which seems legit that then has js sending data to another site which isn't legit.

That is not cross-site scripting. What you're describing is called cross-site request forgery (confusing, I know).

forever.b0rked explains what I tried to rhetorically ask Eraserhead

[Eraserhead]

Quote:

Originally Posted by MrFrankly

That is not cross-site scripting. What you're describing is called cross-site request forgery (confusing, I know).

forever.b0rked explains what I tried to rhetorically ask Eraserhead

Sorry, I was busy so didn't respond, basically some pages don't display properly in Safari with the error in the web inspector of the following:

Unsafe Javascript attempt to access http://www.somewebsite.com from frame with URL http://blahblah.somewebsite.com domains, protocols and ports must match

[seashellz]

Quote:

Originally Posted by Eraserhead

Sorry, I was busy so didn't respond, basically some pages don't display properly in Safari with the error in the web inspector of the following:

Unsafe Javascript attempt to access http://www.somewebsite.com from frame with URL http://blahblah.somewebsite.com domains, protocols and ports must match

when I clicked 'somewebsite'-I got that;
when I clicked 'blahblah' I get to the Open DNS page (using Safari)

I guess a good question would be: we live in the 21st century-why is SAFARI still allowed to be phished...?

[Eraserhead]

Good to know that they've improved it. I notice that the latest Safari has also blocked cross site scripting, unlike Internet Explorer and Firefox.

[TheSpecialist]

Great job Apple!

Now who is rating this negativewhy would this be negative? For hackers? MS fanboys?

[samh004]

I guess you don't want to make an announcement that you've tightened things up, only to have everyone look for that one error in coding and then say you really haven't done the job... best to just secretly update it. Point release FTW!

[BrianMojo]

This is pretty cool. I honestly was getting a bit concerned about how many exploits were targeting Quicktime specifically, and this seems like a logical reaction.

[elppa]

Quicktime is great – it was the first proper multimedia software for home computers.

The problem is a lot of the code is very old now and mistakes were probably made that would not be made today – benefit of hindsight etc.

That said it is good Apple are making positive steps towards locking down some of the vulnerabilities. Security is a continuous process though.

[Stridder44]

Quote:

Originally Posted by elppa

Quicktime is great – it was the first proper multimedia software for home computers.

The problem is a lot of the code is very old now and mistakes were probably made that would not be made today – benefit of hindsight etc.

Is it? You'd think that they'd rewrite it from the ground up for todays world...

[jellomizer]

Quote:

Originally Posted by elppa

Quicktime is great – it was the first proper multimedia software for home computers.

The problem is a lot of the code is very old now and mistakes were probably made that would not be made today – benefit of hindsight etc.

That said it is good Apple are making positive steps towards locking down some of the vulnerabilities. Security is a continuous process though.

Well Quicktime was around before the buffer overflow was reconized as a security problem. Around the late 90's is when buffer overflows became a problem.

Still today actually using a bufferoverflow is a hard hack. But it was possible. Just with memory randomization it helps fix the dependability of such hack.

[guzhogi]

Quote:

Originally Posted by TheSpecialist

Great job Apple!

Now who is rating this negativewhy would this be negative? For hackers? MS fanboys?

Probably Apple fanboys b/c there were security holes in the first place and the fanboys don't like to see that their idol has flaws.

[err404]

Quote:

Originally Posted by TheSpecialist

Now who is rating this negativewhy would this be negative? For hackers? MS fanboys?

People who need their machines to be trouble free (or at least close to it). It is not that they changed it, it is the impression of being a quick-fix. QT is a very core part of the Mac experience and includes a framework for third party plug-ins. They are probably afraid that this is a reactive change on Apple's part and that it may not of been adequately tested (as implied by the article). Even if this is completely trouble free, the quick implementation can be perceived as poor practice.
Then again for all we know, Apple has been working on this and testing for a year...

That said, I did not give it a negative, but I also abstained from a positive.

[kaiwai]

Quote:

Originally Posted by err404

People who need their machines to be trouble free (or at least close to it). It is not that they changed it, it is the impression of being a quick-fix. QT is a very core part of the Mac experience and includes a framework for third party plug-ins. They are probably afraid that this is a reactive change on Apple's part and that it may not of been adequately tested (as implied by the article). Even if this is completely trouble free, the quick implementation can be perceived as poor practice.
Then again for all we know, Apple has been working on this and testing for a year...

That said, I did not give it a negative, but I also abstained from a positive.

Either that, or the fact that it should have been done long ago; as soon as Leopard was released, the bundled version should have (along with everything in the operating system) compiled with ASLR. There are no excuses these days, if linux distros and Microsoft can do it, so can Apple.

[jz1492]

Quote:

Originally Posted by TheSpecialist

Great job Apple!

Now who is rating this negativewhy would this be negative? For hackers? MS fanboys?

Or MS QT users. Since the upgrade, movies drop frames even on 3GHz windoze PCs.

PS: I rated it positive, mind you

[Santa Rosa]

I really think this is good to hear this. Apple at the moment should take a step back for five minutes from this relentless pace they are going at at the moment and iron out all the bugs and secure everything up so they can carry on with a good basis to be working from. If they keep going at this rate the platform as a whole will suffer as it gets greatly complicated to keep all the devices under control.