Security Update 2006-008 Available

Discussion in ' News Discussion' started by MacRumors, Dec 19, 2006.

  1. macrumors bot



    Apple has released Security Update 2006-008 for Mac OS X 10.4.8 (client and server). The 1.8 MB update addresses a vulnerability in Quicktime for Java and Quartz Composer.

    It appears as though the update fixes a vulnerability where a specially-crafted Java applet could obtain images rendered on screen by embedded QuickTime objects and upload them to the originating website. Because QuickTime can be used in conjunction with Quartz Composer, this could theoretically allow a hacker to craft a applet that could obtain an attached (or built-in) iSight camera's images. While external iSight cameras have the ability to physically close an iris and turn the camera off, built-in iSight cameras (such as on the MacBook, MacBook Pro, and iMac) can not be physically turned off.

    More detailed information can be found via this tech note.
  2. Editor emeritus


    I knew having a non-turn-offable camera would come back to haunt Apple. At least this vulnerability was fixed, but I wonder if there are other back-doors. Will MOAB find any???
  3. Moderator emeritus


    Is this Quicktime vulnerability related in any way to the infamous MySpace quicktime vulnerability?
  4. Editor emeritus


    Doesn't look like it.
  5. macrumors 6502a


    Hehe... Scary bug. :)

    Oh, and it's 2,7 MB on my iMac G5, and you need to restart!
  6. macrumors 6502

    Haha, any hacker would get a very uninteresting shot out of my built-in iSight.

    It's 2.7mb on my Macbook as well.
  7. Editor emeritus


    Heh... says 1.5 MB on Apple's site. Fixed the article to be more arbitrary. Size doesn't matter ;)
  8. macrumors 68020


    This might be the only case I ever heard of where you can say "I didn't really fix the bug, but I put a bandaid on it" (over the camera lense)
  9. macrumors G5


    It's my understanding that although there's no iris, there's ALSO no way--due to the electrical design of the iSight--to have the camera turned on without the green On Air light also being on. So at least you always have warning when an app is using the camera. Further clarifcations welcomed.
  10. macrumors 68040


    Could people read the description on Apple's website carefully and tell me if I'm totally wrong in thinking that this has nothing at all to do with iSight, and everything to do with being able to retrieve images that are being rendered on screen by Quicktime?

    And is it a new policy now for Apple to provide plenty of details about the fix, even if it's being misunderstood (by me or the Macrumors adminstrator who posted this)
  11. Viv
    macrumors regular

    Such a little update for such a big issue:)

    Installed ok seemed to boot faster and Safari seems snappier;-)
  12. Editor emeritus


    That is theoretically correct. Basically, that's what Steve said when he introduced the built-in version without the Iris. However, I hesitate to say 100% definitive statements like "no way". For instance, what if the LED actually burns out or looses contact? The hardware may still be sending the signal for it to turn on, but I don't know if it would be smart enough to realize that the LED isn't operating correctly and therefore the iSight shouldn't operate. In such a case, you may see the iSight work and the LED not illuminate.

    I'm just hypothesizing, but trying to prove my point that its dangerous to say 100% definitive things :)
  13. macrumors regular

    I bought my mom an iMac a month ago and she specifically asked me if something like this could happen. Mothers always know.
  14. Editor emeritus


    You have to read into what they are saying a bit. The update is for both QuickTime AND Quartz Composer. Quartz Composer can be used to control an iSight, so when you use it in conjunction with Quicktime, you could actually write an applet on a webpage that displays your iSight imagery. Now, theoretically those images should only be viewable on your screen and not accessible to the remote web server, but the vulnerability was that Quicktime for Java could actually grab the Quartz Composer images. Thus, it could grab your iSight images.

    If you have an iSight, you can go to the following website to see how Quartz Composer can control your iSight on a website. Its OReilly's site, so while I can't 100% guarantee that it doesn't contain malicious code, I think we should be pretty safe. At least, the site doesn't appear to use Quicktime for Java, which is where the vulnerability is.
  15. macrumors 6502a


    But you're not 100% sure? :D ;)
  16. Moderator


    Staff Member

    You could always use White out, or a white strip of tape..

    I have only "used" my iSight camera on my macbook once. Otherwise it is wasted hardware. :(
  17. macrumors 6502a



    I use my iSight all the time.
  18. Editor emeritus


    I'm about 95%
  19. Moderator


    Staff Member

    That's fine, and good for you :)

    I was actually talking about my isight in my MacBook ;) .

    Now, how unsure are you about the other 5% ?
  20. macrumors 6502a


    :D Sorry!!! :p ;)
  21. macrumors 65816


    I use my MacBook in closed-lid mode, attached to an iSight-less external monitor.

    Problem solved! :D
  22. macrumors 603


    Who cares? seriously. The light comes on, on the camera when its on. In any case you will know when its in use.
  23. macrumors 68020


    In related news, it has been announced the Month of OSX Bugs will not start until January 2nd, but will still end January 31st.
  24. macrumors 68020


    Since the camera only has to be on long enough to capture an image, it could take a still image and only be on as long as the "shutter", which might be hard to catch if you're not paying attention. One of those things where you might "think you saw it" but then convince yourself you were imagining things.
  25. macrumors 68020


    I use your iSight all the time.

    Which reminds me, don't download that software update please, you're interesting to watch.

Share This Page