Apple Hardens Quicktime Security

[Eraserhead]

That is not cross-site scripting. What you're describing is called cross-site request forgery (confusing, I know).

forever.b0rked explains what I tried to rhetorically ask Eraserhead

Sorry, I was busy so didn't respond, basically some pages don't display properly in Safari with the error in the web inspector of the following:

Unsafe Javascript attempt to access http://www.somewebsite.com from frame with URL http://blahblah.somewebsite.com domains, protocols and ports must match

 

[stagi]

good to hear they are on top on things

 

[forever.b0rked]

IIRC in the 64 bit runtime it is used more consistently given no backwards compatibility issues.

Yea, that seems to be the case from what I remember. I only spent about an hour fiddling with it when I first got my laptop, I've been meaning to go back and do some more research but I never got around to it.

Better and more consistent parameter and pre/post condition validation. In other words ensuring that the data passed to a function is sensible and that the function call makes sense given the current state of the system.

Interesting. I might crank up BinDiff and see what exactly they are doing.

I'm sorry, but WTF? What "marketing hype" (your words)? Apple haven't said word #1 about it, and you're dismissing it as just lip-service? Apple's actual QuickTime security statement is here: http://support.apple.com/kb/HT1241. Show me the "marketing hype". Until then, your other blah is just blah; I lost all interest and didn't bother reading it because i figure it's tainted.

You are right, marketing hype was a bad choice of words. What I was trying to get at is that while this is great and all, making a big deal out of this is kindof like praising a child for using the toilet for the first time. It is great that they are taking the steps, but it should be expected behavior for any mature software company.

 

[err404]

Apple has been working on this stuff, likely in a branch, for a while now. Nothing quick about it.

That's what everyone would assume and why I didn't give it a negative myself. The impression remains that this was a bit drastic for a dot release and that it's release was more tactical then strategic.

 

[chrisgeleven]

Is it? You'd think that they'd rewrite it from the ground up for todays world...

Easier said then done. While I imagine parts of QuickTime were rewritten for OS X, that doesn't mean all of it was rewritten. There is probably significant code that predates OS X and might even go back to when QuickTime was first written.

 

[Eraserhead]

thats part of the reason why an anti-phishing, anti-malicious websites mechanism is so important in modern browsers. Too bad safari still doesn't offer this.

Anti-phishing is OK, stopping cross-site scripting is good (any attacks are more subtle), and both is even better from a security POV.

PS. my impression is that XSS isn't all bad, somebody clarify this?

Well its not, the website I noticed this on was using it legitimately. However they could have done it another way and to be honest it doesn't really have too many legitimate uses.

 

[jellomizer]

Quicktime is great – it was the first proper multimedia software for home computers.

The problem is a lot of the code is very old now and mistakes were probably made that would not be made today – benefit of hindsight etc.

That said it is good Apple are making positive steps towards locking down some of the vulnerabilities. Security is a continuous process though.

Well Quicktime was around before the buffer overflow was reconized as a security problem. Around the late 90's is when buffer overflows became a problem.

Still today actually using a bufferoverflow is a hard hack. But it was possible. Just with memory randomization it helps fix the dependability of such hack.

 

[jellomizer]

Anti-phishing is OK, stopping cross-site scripting is good (any attacks are more subtle), and both is even better from a security POV.

Phishing is actually a big problem. I would say worse then cross site scripting. Cross site scripting usually happened when you are one questionable websites, kinda of a I know I shouldn't be there type of actions.

But Phishing is actually more subtile. Let say i go to XYZBank.com but I typed in XYZBenk.com or XYZ-Bank.com... Something I wouldn't quickly catch. And the site looks just like my bank. I enter my password and username. It give an error that that back site is under maintentance.... But by that time I am already dead.

 

[quest4apple]

I must admit that most of the posts in this thread are over my head, but it is great to hear that Apple is addressing these issues. I really enjoyed seeing the quote on the front page from one of the hackers themselves.

 

[Virgil-TB2]

Dai Zovi

All I have to say is that if a biased anti-Apple *sshole like Dai Zovi thinks that this "might be a good thing," then in actuality, it's probably a great thing and will do a great deal to actually help with QT security. He is classic Apple-hater with an oft-stated "mission" to make Apple look bad.

 

[forever.b0rked]

Well Quicktime was around before the buffer overflow was reconized as a security problem. Around the late 90's is when buffer overflows became a problem.

Still today actually using a bufferoverflow is a hard hack. But it was possible. Just with memory randomization it helps fix the dependability of such hack.

No, buffer overflows have been a documented issue for over 20-30 years, they are hardly a new issue. There have been new exploitation methods and new types of buffer overflows detailed (note detailed, not discovered) since then, but the idea behind them has been around for a very long time (I'd actually like to say longer than 30 years but I can't recall any specific sources off hand that would imply it was a known issue beyond 20 years ago).

As for them being hard to exploit, that really isn't the case. It can be, it just depends on the vulnerability.

All I have to say is that if a biased anti-Apple *sshole like Dai Zovi thinks that this "might be a good thing," then in actuality, it's probably a great thing and will do a great deal to actually help with QT security. He is classic Apple-hater with an oft-stated "mission" to make Apple look bad.

Do you blame him?

I don't blame most of the security community for not liking Apple. They (Apple) have been unethical and irresponsible in the past when dealing with the security community and to this day, I don't know anyone that deals with the Apple security team and has anything positive to say. It was only a year ago when they threatened lawsuits against Dave Maynor over the WiFi vulnerability and against CanSecWest presenters. I think a lot of the hostilities have died down lately, but Dai Zovi's attitude is one that a good portion of the security research community shares.

 

[MacClarence]

Good! us mac users need a little more security, I got a little worried after the embarrasing story last week when ISE hacked Leopard in under 30 seconds while Windows Vista (SP1) and the lastest Ubuntu wern't broken at all!

http://news.cnet.co.uk/software/0,39029694,49296255,00.htm

I'd hate to move back to Window$ cos of mac security flaws

 

[jz1492]

Great job Apple!

Now who is rating this negativewhy would this be negative? For hackers? MS fanboys?

Or MS QT users. Since the upgrade, movies drop frames even on 3GHz windoze PCs.

PS: I rated it positive, mind you

 

[Santa Rosa]

I really think this is good to hear this. Apple at the moment should take a step back for five minutes from this relentless pace they are going at at the moment and iron out all the bugs and secure everything up so they can carry on with a good basis to be working from. If they keep going at this rate the platform as a whole will suffer as it gets greatly complicated to keep all the devices under control.

 

[ethernet76]

Good! us mac users need a little more security, I got a little worried after the embarrasing story last week when ISE hacked Leopard in under 30 seconds while Windows Vista (SP1) and the lastest Ubuntu wern't broken at all!

http://news.cnet.co.uk/software/0,39029694,49296255,00.htm

I'd hate to move back to Window$ cos of mac security flaws

Any box, linux, xp, vista, os x can be hacked if a knowledgeable person is given access to it.

Vista was broken on day 2 and the linux box was hacked.

Stop trolling. Or stop being so gullible.

I should also notice that we run XP at work and I've managed to grant myself admin privileges and get around their silly internet blockade.

There will always be hacks. Speed is of little importance.

 

[dejo]

...I got a little worried after the embarrasing story last week when ISE hacked Leopard in under 30 seconds while Windows Vista (SP1) and the lastest Ubuntu wern't broken at all!

30 seconds? Wow, I suspect as this story gets retold over and over the time will get even shorter. Soon 20 seconds. Then 10 seconds. Maybe even 3 seconds? Actually, it was 2 minutes.

 

[Eraserhead]

Phishing is actually a big problem. I would say worse then cross site scripting. Cross site scripting usually happened when you are one questionable websites, kinda of a I know I shouldn't be there type of actions.

Zdnet (part of CNet) got caught by cross-site scripting.

But Phishing is actually more subtile. Let say i go to XYZBank.com but I typed in XYZBenk.com or XYZ-Bank.com... Something I wouldn't quickly catch. And the site looks just like my bank. I enter my password and username. It give an error that that back site is under maintentance.... But by that time I am already dead.

OK in that case then it wouldn't be obvious, but if its an email link you at least shouldn't click on it if you know what you're doing.

Good! us mac users need a little more security, I got a little worried after the embarrasing story last week when ISE hacked Leopard in under 30 seconds while Windows Vista (SP1) and the lastest Ubuntu wern't broken at all!

Actually Vista got hacked via Flash, which is essentially first party. Also any system can be hacked given enough time/effort.

 

[MacClarence]

Any box, linux, xp, vista, os x can be hacked if a knowledgeable person is given access to it.

Vista was broken on day 2 and the linux box was hacked.

Stop trolling. Or stop being so gullible.

I should also notice that we run XP at work and I've managed to grant myself admin privileges and get around their silly internet blockade.

There will always be hacks. Speed is of little importance.

I'm not trolling or being gullable, I'm fully awear that any OS can be hacked - but surely any security vunrability is bad and the fact (from a mac users standpoint) that the mac fared worst of all in the tests is slightly worrying! I'm glad to see doing something about it and hope that there is more to come!

After all, the last thing we want to see is some spoof Windows-Mac commercial where the mac guy is full of holes and being attacked through them, while windows bats away attackers with it's security programs!

Actually Vista got hacked via Flash, which is essentially first party. Also any system can be hacked given enough time/effort.

Yea, I know, but that wasnt until the rules of the compitition were loosest and aps could be installed, the mac was hacked when rules were stricter and they got in through apples own browser - which would have been the M$ IE6 story until recently

 

[gauchogolfer]

Strangely my Quicktime Player keeps crashing on XP when I try to do the update.
Weird.

 

[dejo]

...the mac was hacked when rules were strictest...

No, it didn't get hacked until the second day, when OS-bundled software was included. On the first day, when only the base OS could be attacked, none of the computers were hacked.

 

[MrFrankly]

Cross site scripting usually happened when you are one questionable websites, kinda of a I know I shouldn't be there type of actions.

Macrumors.com also suffers from a cross-site scripting vulnerability. Technically I could put the link on this forum and I could steal the cookie/password of everyone on this who clicks the link.

I won't place the link here because I think it's not really fair for Macrumors. But cross-site scripting can take place on every site.

 

[jmadlena]

Macrumors.com also suffers from a cross-site scripting vulnerability. Technically I could put the link on this forum and I could steal the cookie/password of everyone on this who clicks the link.

I won't place the link here because I think it's not really fair for Macrumors. But cross-site scripting can take place on every site.

Have you made the MacRumors staff aware of this vulnerability?

EDIT: Or is this something that they can do nothing about?

 

[change]

Re-write Quicktime Code?

I realize this would be a MASSIVE undertaking, but i wonder how many times you can patch possibly ancient code before we end up with buggy, inefficient software.

Not saying it's related but, for a time, my iMac would not play video and audio at the same time. This has since been fixed (via a software update), but one day i worry i'll have a project with a deadline and some security patch will shut me down. I'm all for security fixes, i applaud Apple for these. But i'm not sure i'll feel the same way when i'm spending a week in someone else's house renting computer time from them.

 

[MrFrankly]

Have you made the MacRumors staff aware of this vulnerability?

EDIT: Or is this something that they can do nothing about?

Yeah I have just emailed them about it. It should be quite trivial for them to do something about it.

 

[Amdahl]

I've researched it a little bit since I got my MBP about a month ago and I don't see where much of anything is randomized. There are some libraries that are, but for the most part they are at the same location every time I looked. That and, most memory locations are still marked executable, which is not good.

I think the ASLR on OSX is done per-system when the library caches are created. So each system has a different randomization that changes only when library caches are reset. Feel free to correct me if that isn't the case.