Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
56,622
19,370


With Quicktime increasingly becoming a target for malicious hackers, eWeek reports that Apple has made several steps to make Quicktime more secure in the latest version (7.4.5) released just last week.

Besides patching 11 security vulnerabilities, the new version of Quicktime adds a few new features such as ASLR (address space layout randomization), stack buffer safety checking and function call hardening, all of which make it much more difficult to hack Quicktime.

Security researchers have applauded the efforts:
"That's a pretty big change for a point release," said Dino Dai Zovi, a hacker who has written multiple exploits for QuickTime. "They [Apple] have way more guts than many other software companies to do something like that. Either that, or they are afraid of the backlash if malware starts targeting QuickTime and iTunes in a more serious way."

Article Link
 

Eraserhead

macrumors G4
Nov 3, 2005
10,433
12,250
UK
Good to know that they've improved it. I notice that the latest Safari has also blocked cross site scripting, unlike Internet Explorer and Firefox.
 

samh004

macrumors 68020
Mar 1, 2004
2,222
140
Australia
I guess you don't want to make an announcement that you've tightened things up, only to have everyone look for that one error in coding and then say you really haven't done the job... best to just secretly update it. Point release FTW!
 

BrianMojo

macrumors regular
Jul 10, 2006
185
0
Boston, MA
This is pretty cool. I honestly was getting a bit concerned about how many exploits were targeting Quicktime specifically, and this seems like a logical reaction.
 

elppa

macrumors 68040
Nov 26, 2003
3,233
150
Quicktime is great – it was the first proper multimedia software for home computers.

The problem is a lot of the code is very old now and mistakes were probably made that would not be made today – benefit of hindsight etc.

That said it is good Apple are making positive steps towards locking down some of the vulnerabilities. Security is a continuous process though.
 

eastcoastsurfer

macrumors 6502a
Feb 15, 2007
600
27
Good to know that they've improved it. I notice that the latest Safari has also blocked cross site scripting, unlike Internet Explorer and Firefox.

Last I checked FF has had this blocked for a long time. It's a reason I have to use a proxy web service to call web services on other machines from AJAX stuff running on FF. IE (6 at least) happily allows me to call web services on other servers from js running on the client.

Block cross-site scripting? How exactly would Safari do that?

Pretty simple. When you load a web page, java script on that page can only send requests back to the server you loaded the original page from. This stops you from going to a site which seems legit that then has js sending data to another site which isn't legit.
 

forever.b0rked

macrumors newbie
Apr 8, 2008
4
0
While I applaud the fact they finally did this, I think this is mostly marketing hype for something that should have been done a long time ago.

You can't implement ASLR in an application, it has to be done by the operating system, which both Vista and OS X do (Vista more effectively than OS X). It has to be enabled via a compiler flag when the application is compiled, it isn't that difficult to do and should have been done from day one with the Windows version and after Leopard was released. I also think this will be better for Windows users than Mac users, mostly because the OS X implementation of ASLR isn't all that effective, I've researched it a little bit since I got my MBP about a month ago and I don't see where much of anything is randomized. There are some libraries that are, but for the most part they are at the same location every time I looked. That and, most memory locations are still marked executable, which is not good.

As for the stack checks (stack canaries would be a better way to describe it), thats all good but again, it should have been done long ago. That type of thing has been around for a long time now and Microsoft first started using them widespread in SP2. As for function call hardening, I don't know wtf that is supposed to mean.

So its all good that they are doing this, but it should have been done a long time ago. Now they just need to fix randomization and NX in Leopard :/
Good to know that they've improved it. I notice that the latest Safari has also blocked cross site scripting, unlike Internet Explorer and Firefox.

You can't block cross site scripting in the browser. The browser is doing what it is told to do when an XSS is exploited, it renders the HTML that is returned when you visit the exploited page (persistent) or follow a link (reflected). The javascript doesn't have to come from another server.
 

Stridder44

macrumors 68040
Mar 24, 2003
3,971
171
California
Quicktime is great – it was the first proper multimedia software for home computers.

The problem is a lot of the code is very old now and mistakes were probably made that would not be made today – benefit of hindsight etc.


Is it? You'd think that they'd rewrite it from the ground up for todays world...
 

axcess99

macrumors regular
Jul 1, 2005
136
129
Pretty simple. When you load a web page, java script on that page can only send requests back to the server you loaded the original page from. This stops you from going to a site which seems legit that then has js sending data to another site which isn't legit.

That is how javascript pages are supposed to work. IE, FF, Safari, all do that in addition to other steps. That is not XSS. Please see http://en.wikipedia.org/wiki/Same_origin_policy and http://en.wikipedia.org/wiki/Cross-site_scripting respectively.
 

MrFrankly

macrumors regular
Jan 11, 2006
110
0
Pretty simple. When you load a web page, java script on that page can only send requests back to the server you loaded the original page from. This stops you from going to a site which seems legit that then has js sending data to another site which isn't legit.

That is not cross-site scripting. What you're describing is called cross-site request forgery (confusing, I know).

forever.b0rked explains what I tried to rhetorically ask Eraserhead
 

eastcoastsurfer

macrumors 6502a
Feb 15, 2007
600
27
That is how javascript pages are supposed to work. IE, FF, Safari, all do that in addition to other steps. That is not XSS. Please see http://en.wikipedia.org/wiki/Same_origin_policy and http://en.wikipedia.org/wiki/Cross-site_scripting respectively.

If you look at the Cross-site_scripting link you sent, the Persistent Exploit scenario they describe exactly what I described. Someone putting js on a page that interacts with another web server that the page did not originate from. But you're right, XSS means a lot more than just that type of exploit now...
 

MrFrankly

macrumors regular
Jan 11, 2006
110
0
If you look at the Cross-site_scripting link you sent, the Persistent Exploit scenario they describe exactly what I described. Someone putting js on a page that interacts with another web server that the page did not originate from. But you're right, XSS means a lot more than just that type of exploit now...

The cross-site scripting part of that scenario is just part 3 where she posts the message. The fact that it's sending something to a different server is not necessarily part of cross-site scripting. It's just a way to make it useful.
 

twoodcc

macrumors P6
Feb 3, 2005
15,307
26
Right side of wrong
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/4A102 Safari/419.3)

that's good to hear. I guess I better install this on all my machines
 

PlaceofDis

macrumors Core
Jan 6, 2004
19,241
6
security is an on-going process, and i'm glad that Apple are trying to be pro-active about it rather than reactionary, for the most part.
 

err404

macrumors 68030
Mar 4, 2007
2,524
624
Now who is rating this negative:confused:why would this be negative? For hackers? MS fanboys?
People who need their machines to be trouble free (or at least close to it). It is not that they changed it, it is the impression of being a quick-fix. QT is a very core part of the Mac experience and includes a framework for third party plug-ins. They are probably afraid that this is a reactive change on Apple's part and that it may not of been adequately tested (as implied by the article). Even if this is completely trouble free, the quick implementation can be perceived as poor practice.
Then again for all we know, Apple has been working on this and testing for a year...

That said, I did not give it a negative, but I also abstained from a positive.
 

clevin

macrumors G3
Aug 6, 2006
9,095
1
If you look at the Cross-site_scripting link you sent, the Persistent Exploit scenario they describe exactly what I described. Someone putting js on a page that interacts with another web server that the page did not originate from. But you're right, XSS means a lot more than just that type of exploit now...

thats part of the reason why an anti-phishing, anti-malicious websites mechanism is so important in modern browsers. :) Too bad safari still doesn't offer this.

Anyway, there is always noscripts for firefox..

PS. my impression is that XSS isn't all bad, somebody clarify this?
PS2. I noticed two updates (iTunes 7.6.2and QT 7.4.5) again are ~90MB in size.. will apple ever be able to make some partial update packages and save me some download time? or people with slow internet speed don't deserve same level of security?
 

shawnce

macrumors 65816
Jun 1, 2004
1,442
0
I've researched it a little bit since I got my MBP about a month ago and I don't see where much of anything is randomized. There are some libraries that are, but for the most part they are at the same location every time I looked.
You should compare it across different systems. The main goal is to make the library locations on different systems load at different addresses. Of course I agree that it appears Leopard has the weaker implementation compared to Vista. Also the use of NX is problematic for backward compatibility (of course it likely could be applied more, not looked closely at it yet at the OS library level)... IIRC in the 64 bit runtime it is used more consistently given no backwards compatibility issues.

As for function call hardening, I don't know wtf that is supposed to mean.
Better and more consistent parameter and pre/post condition validation. In other words ensuring that the data passed to a function is sensible and that the function call makes sense given the current state of the system.

the quick implementation can be perceived as poor practice.
Apple has been working on this stuff, likely in a branch, for a while now. Nothing quick about it.
 

sleepingworker

macrumors 6502a
Feb 26, 2003
579
0
Manhattan, NY
It makes sense to me that as Apple become more popular (and claims that their codes are harder to hack) that the company will become more of a target for malware.
 

batchtaster

macrumors 65816
Mar 3, 2008
1,031
217
While I applaud the fact they finally did this, I think this is mostly marketing hype for something that should have been done a long time ago.

I'm sorry, but WTF? What "marketing hype" (your words)? Apple haven't said word #1 about it, and you're dismissing it as just lip-service? Apple's actual QuickTime security statement is here: http://support.apple.com/kb/HT1241. Show me the "marketing hype". Until then, your other blah is just blah; I lost all interest and didn't bother reading it because i figure it's tainted.
 

elppa

macrumors 68040
Nov 26, 2003
3,233
150
Is it? You'd think that they'd rewrite it from the ground up for todays world...

Do I detect sarcasm? :D

Of course they could, but Quicktime is huge, it would take a long, long time and probably break a lot of stuff along the way.

Or, at the very least, back during the OS 9 > X transition.

There was quite a bit on the plate then, porting Quicktime to NeXTSTEP was a huge undertaking. I believe as a consequence of this effort carbon applications were invented.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.