Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Hardens Quicktime Security

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,191
38,986


With Quicktime increasingly becoming a target for malicious hackers, eWeek reports that Apple has made several steps to make Quicktime more secure in the latest version (7.4.5) released just last week.

Besides patching 11 security vulnerabilities, the new version of Quicktime adds a few new features such as ASLR (address space layout randomization), stack buffer safety checking and function call hardening, all of which make it much more difficult to hack Quicktime.

Security researchers have applauded the efforts:
"That's a pretty big change for a point release," said Dino Dai Zovi, a hacker who has written multiple exploits for QuickTime. "They [Apple] have way more guts than many other software companies to do something like that. Either that, or they are afraid of the backlash if malware starts targeting QuickTime and iTunes in a more serious way."
Click to expand...

Article Link
 
Article Link
https://www.macrumors.com/2008/04/08/apple-hardens-quicktime-security/
Good to know that they've improved it. I notice that the latest Safari has also blocked cross site scripting, unlike Internet Explorer and Firefox.
 
I guess you don't want to make an announcement that you've tightened things up, only to have everyone look for that one error in coding and then say you really haven't done the job... best to just secretly update it. Point release FTW!
 
This is pretty cool. I honestly was getting a bit concerned about how many exploits were targeting Quicktime specifically, and this seems like a logical reaction.
 
Quicktime is great – it was the first proper multimedia software for home computers.

The problem is a lot of the code is very old now and mistakes were probably made that would not be made today – benefit of hindsight etc.

That said it is good Apple are making positive steps towards locking down some of the vulnerabilities. Security is a continuous process though.
 
Eraserhead said:
Good to know that they've improved it. I notice that the latest Safari has also blocked cross site scripting, unlike Internet Explorer and Firefox.
Click to expand...

Last I checked FF has had this blocked for a long time. It's a reason I have to use a proxy web service to call web services on other machines from AJAX stuff running on FF. IE (6 at least) happily allows me to call web services on other servers from js running on the client.

MrFrankly said:
Block cross-site scripting? How exactly would Safari do that?
Click to expand...

Pretty simple. When you load a web page, java script on that page can only send requests back to the server you loaded the original page from. This stops you from going to a site which seems legit that then has js sending data to another site which isn't legit.
 
While I applaud the fact they finally did this, I think this is mostly marketing hype for something that should have been done a long time ago.

You can't implement ASLR in an application, it has to be done by the operating system, which both Vista and OS X do (Vista more effectively than OS X). It has to be enabled via a compiler flag when the application is compiled, it isn't that difficult to do and should have been done from day one with the Windows version and after Leopard was released. I also think this will be better for Windows users than Mac users, mostly because the OS X implementation of ASLR isn't all that effective, I've researched it a little bit since I got my MBP about a month ago and I don't see where much of anything is randomized. There are some libraries that are, but for the most part they are at the same location every time I looked. That and, most memory locations are still marked executable, which is not good.

As for the stack checks (stack canaries would be a better way to describe it), thats all good but again, it should have been done long ago. That type of thing has been around for a long time now and Microsoft first started using them widespread in SP2. As for function call hardening, I don't know wtf that is supposed to mean.

So its all good that they are doing this, but it should have been done a long time ago. Now they just need to fix randomization and NX in Leopard :/
Eraserhead said:
Good to know that they've improved it. I notice that the latest Safari has also blocked cross site scripting, unlike Internet Explorer and Firefox.
Click to expand...

You can't block cross site scripting in the browser. The browser is doing what it is told to do when an XSS is exploited, it renders the HTML that is returned when you visit the exploited page (persistent) or follow a link (reflected). The javascript doesn't have to come from another server.
 
elppa said:
Quicktime is great – it was the first proper multimedia software for home computers.

The problem is a lot of the code is very old now and mistakes were probably made that would not be made today – benefit of hindsight etc.
Click to expand...


Is it? You'd think that they'd rewrite it from the ground up for todays world...
 
eastcoastsurfer said:
Pretty simple. When you load a web page, java script on that page can only send requests back to the server you loaded the original page from. This stops you from going to a site which seems legit that then has js sending data to another site which isn't legit.
Click to expand...

That is how javascript pages are supposed to work. IE, FF, Safari, all do that in addition to other steps. That is not XSS. Please see http://en.wikipedia.org/wiki/Same_origin_policy and http://en.wikipedia.org/wiki/Cross-site_scripting respectively.
 
eastcoastsurfer said:
Pretty simple. When you load a web page, java script on that page can only send requests back to the server you loaded the original page from. This stops you from going to a site which seems legit that then has js sending data to another site which isn't legit.
Click to expand...

That is not cross-site scripting. What you're describing is called cross-site request forgery (confusing, I know).

forever.b0rked explains what I tried to rhetorically ask Eraserhead
 
axcess99 said:
That is how javascript pages are supposed to work. IE, FF, Safari, all do that in addition to other steps. That is not XSS. Please see http://en.wikipedia.org/wiki/Same_origin_policy and http://en.wikipedia.org/wiki/Cross-site_scripting respectively.
Click to expand...

If you look at the Cross-site_scripting link you sent, the Persistent Exploit scenario they describe exactly what I described. Someone putting js on a page that interacts with another web server that the page did not originate from. But you're right, XSS means a lot more than just that type of exploit now...
 
eastcoastsurfer said:
If you look at the Cross-site_scripting link you sent, the Persistent Exploit scenario they describe exactly what I described. Someone putting js on a page that interacts with another web server that the page did not originate from. But you're right, XSS means a lot more than just that type of exploit now...
Click to expand...

The cross-site scripting part of that scenario is just part 3 where she posts the message. The fact that it's sending something to a different server is not necessarily part of cross-site scripting. It's just a way to make it useful.
 
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/4A102 Safari/419.3)

that's good to hear. I guess I better install this on all my machines
 
security is an on-going process, and i'm glad that Apple are trying to be pro-active about it rather than reactionary, for the most part.
 
TheSpecialist said:
Now who is rating this negative:confused:why would this be negative? For hackers? MS fanboys?
Click to expand...
People who need their machines to be trouble free (or at least close to it). It is not that they changed it, it is the impression of being a quick-fix. QT is a very core part of the Mac experience and includes a framework for third party plug-ins. They are probably afraid that this is a reactive change on Apple's part and that it may not of been adequately tested (as implied by the article). Even if this is completely trouble free, the quick implementation can be perceived as poor practice.
Then again for all we know, Apple has been working on this and testing for a year...

That said, I did not give it a negative, but I also abstained from a positive.
 
eastcoastsurfer said:
If you look at the Cross-site_scripting link you sent, the Persistent Exploit scenario they describe exactly what I described. Someone putting js on a page that interacts with another web server that the page did not originate from. But you're right, XSS means a lot more than just that type of exploit now...
Click to expand...

thats part of the reason why an anti-phishing, anti-malicious websites mechanism is so important in modern browsers. :) Too bad safari still doesn't offer this.

Anyway, there is always noscripts for firefox..

PS. my impression is that XSS isn't all bad, somebody clarify this?
PS2. I noticed two updates (iTunes 7.6.2and QT 7.4.5) again are ~90MB in size.. will apple ever be able to make some partial update packages and save me some download time? or people with slow internet speed don't deserve same level of security?
 
forever.b0rked said:
I've researched it a little bit since I got my MBP about a month ago and I don't see where much of anything is randomized. There are some libraries that are, but for the most part they are at the same location every time I looked.
Click to expand...
You should compare it across different systems. The main goal is to make the library locations on different systems load at different addresses. Of course I agree that it appears Leopard has the weaker implementation compared to Vista. Also the use of NX is problematic for backward compatibility (of course it likely could be applied more, not looked closely at it yet at the OS library level)... IIRC in the 64 bit runtime it is used more consistently given no backwards compatibility issues.

forever.b0rked said:
As for function call hardening, I don't know wtf that is supposed to mean.
Click to expand...
Better and more consistent parameter and pre/post condition validation. In other words ensuring that the data passed to a function is sensible and that the function call makes sense given the current state of the system.

err404 said:
the quick implementation can be perceived as poor practice.
Click to expand...
Apple has been working on this stuff, likely in a branch, for a while now. Nothing quick about it.
 
It makes sense to me that as Apple become more popular (and claims that their codes are harder to hack) that the company will become more of a target for malware.
 
forever.b0rked said:
While I applaud the fact they finally did this, I think this is mostly marketing hype for something that should have been done a long time ago.
Click to expand...

I'm sorry, but WTF? What "marketing hype" (your words)? Apple haven't said word #1 about it, and you're dismissing it as just lip-service? Apple's actual QuickTime security statement is here: http://support.apple.com/kb/HT1241. Show me the "marketing hype". Until then, your other blah is just blah; I lost all interest and didn't bother reading it because i figure it's tainted.
 
Stridder44 said:
Is it? You'd think that they'd rewrite it from the ground up for todays world...
Click to expand...

Do I detect sarcasm? :D

Of course they could, but Quicktime is huge, it would take a long, long time and probably break a lot of stuff along the way.

lazyrighteye said:
Or, at the very least, back during the OS 9 > X transition.
Click to expand...

There was quite a bit on the plate then, porting Quicktime to NeXTSTEP was a huge undertaking. I believe as a consequence of this effort carbon applications were invented.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back