Security Update 2006-008 Available

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Dec 19, 2006.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]

    Apple has released Security Update 2006-008 for Mac OS X 10.4.8 (client and server). The 1.8 MB update addresses a vulnerability in Quicktime for Java and Quartz Composer.

    It appears as though the update fixes a vulnerability where a specially-crafted Java applet could obtain images rendered on screen by embedded QuickTime objects and upload them to the originating website. Because QuickTime can be used in conjunction with Quartz Composer, this could theoretically allow a hacker to craft a applet that could obtain an attached (or built-in) iSight camera's images. While external iSight cameras have the ability to physically close an iris and turn the camera off, built-in iSight cameras (such as on the MacBook, MacBook Pro, and iMac) can not be physically turned off.

    More detailed information can be found via this tech note.
     
  2. Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #2
    I knew having a non-turn-offable camera would come back to haunt Apple. At least this vulnerability was fixed, but I wonder if there are other back-doors. Will MOAB find any???
     
  3. Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #3
    Is this Quicktime vulnerability related in any way to the infamous MySpace quicktime vulnerability?
     
  4. Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #4
    Doesn't look like it.
     
  5. macrumors 6502a

    IEatApples

    Joined:
    Jan 26, 2004
    Location:
    Northern Hemisphere (Norway)
    #5
    Hehe... Scary bug. :)

    Oh, and it's 2,7 MB on my iMac G5, and you need to restart!
     
  6. macrumors 6502

    Joined:
    Apr 29, 2005
    Location:
    Hobart, Australia
    #6
    Haha, any hacker would get a very uninteresting shot out of my built-in iSight.

    It's 2.7mb on my Macbook as well.
     
  7. Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #7
    Heh... says 1.5 MB on Apple's site. Fixed the article to be more arbitrary. Size doesn't matter ;)
     
  8. macrumors 68020

    mainstreetmark

    Joined:
    May 7, 2003
    Location:
    Saint Augustine, FL
    #8
    This might be the only case I ever heard of where you can say "I didn't really fix the bug, but I put a bandaid on it" (over the camera lense)
     
  9. macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #9
    It's my understanding that although there's no iris, there's ALSO no way--due to the electrical design of the iSight--to have the camera turned on without the green On Air light also being on. So at least you always have warning when an app is using the camera. Further clarifcations welcomed.
     
  10. macrumors 68040

    plinden

    Joined:
    Apr 8, 2004
    #10
    Could people read the description on Apple's website carefully and tell me if I'm totally wrong in thinking that this has nothing at all to do with iSight, and everything to do with being able to retrieve images that are being rendered on screen by Quicktime?

    And is it a new policy now for Apple to provide plenty of details about the fix, even if it's being misunderstood (by me or the Macrumors adminstrator who posted this)
     
  11. Viv
    macrumors regular

    Joined:
    Sep 11, 2003
    Location:
    Normandy, France
    #11
    Such a little update for such a big issue:)

    Installed ok seemed to boot faster and Safari seems snappier;-)
     
  12. Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #12
    That is theoretically correct. Basically, that's what Steve said when he introduced the built-in version without the Iris. However, I hesitate to say 100% definitive statements like "no way". For instance, what if the LED actually burns out or looses contact? The hardware may still be sending the signal for it to turn on, but I don't know if it would be smart enough to realize that the LED isn't operating correctly and therefore the iSight shouldn't operate. In such a case, you may see the iSight work and the LED not illuminate.

    I'm just hypothesizing, but trying to prove my point that its dangerous to say 100% definitive things :)
     
  13. macrumors regular

    Joined:
    May 9, 2006
    Location:
    USA
    #13
    I bought my mom an iMac a month ago and she specifically asked me if something like this could happen. Mothers always know.
     
  14. Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #14
    You have to read into what they are saying a bit. The update is for both QuickTime AND Quartz Composer. Quartz Composer can be used to control an iSight, so when you use it in conjunction with Quicktime, you could actually write an applet on a webpage that displays your iSight imagery. Now, theoretically those images should only be viewable on your screen and not accessible to the remote web server, but the vulnerability was that Quicktime for Java could actually grab the Quartz Composer images. Thus, it could grab your iSight images.

    If you have an iSight, you can go to the following website to see how Quartz Composer can control your iSight on a website. Its OReilly's site, so while I can't 100% guarantee that it doesn't contain malicious code, I think we should be pretty safe. At least, the site doesn't appear to use Quicktime for Java, which is where the vulnerability is. http://www.oreillynet.com/lpt/wlg/7409
     
  15. macrumors 6502a

    IEatApples

    Joined:
    Jan 26, 2004
    Location:
    Northern Hemisphere (Norway)
    #15
    But you're not 100% sure? :D ;)
     
  16. Moderator

    840quadra

    Staff Member

    Joined:
    Feb 1, 2005
    Location:
    Land of 10,000 Lakes
    #16
    You could always use White out, or a white strip of tape..

    I have only "used" my iSight camera on my macbook once. Otherwise it is wasted hardware. :(
     
  17. macrumors 6502a

    IEatApples

    Joined:
    Jan 26, 2004
    Location:
    Northern Hemisphere (Norway)
    #17
    NOT TRUE!

    I use my iSight all the time.
     
  18. Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #18
    I'm about 95%
     
  19. Moderator

    840quadra

    Staff Member

    Joined:
    Feb 1, 2005
    Location:
    Land of 10,000 Lakes
    #19
    That's fine, and good for you :)

    I was actually talking about my isight in my MacBook ;) .

    Now, how unsure are you about the other 5% ?
     
  20. macrumors 6502a

    IEatApples

    Joined:
    Jan 26, 2004
    Location:
    Northern Hemisphere (Norway)
    #20
    :D Sorry!!! :p ;)
     
  21. macrumors 65816

    japanime

    Joined:
    Feb 27, 2006
    Location:
    Japan
    #21
    I use my MacBook in closed-lid mode, attached to an iSight-less external monitor.

    Problem solved! :D
     
  22. macrumors 603

    SiliconAddict

    Joined:
    Jun 19, 2003
    Location:
    Chicago, IL
    #22
    Who cares? seriously. The light comes on, on the camera when its on. In any case you will know when its in use.
     
  23. macrumors 68020

    SeaFox

    Joined:
    Jul 22, 2003
    Location:
    Somewhere Else
    #23
    In related news, it has been announced the Month of OSX Bugs will not start until January 2nd, but will still end January 31st.
     
  24. macrumors 68020

    SeaFox

    Joined:
    Jul 22, 2003
    Location:
    Somewhere Else
    #24
    Since the camera only has to be on long enough to capture an image, it could take a still image and only be on as long as the "shutter", which might be hard to catch if you're not paying attention. One of those things where you might "think you saw it" but then convince yourself you were imagining things.
     
  25. macrumors 68020

    DavidLeblond

    Joined:
    Jan 6, 2004
    Location:
    Raleigh, NC
    #25
    I use your iSight all the time.

    Which reminds me, don't download that software update please, you're interesting to watch.
     

Share This Page