Apple Hardens Quicktime Security

[Eraserhead]

Yea, I know, but that wasnt until the rules of the compitition were loosest and aps could be installed, the mac was hacked when rules were stricter and they got in through apples own browser - which would have been the M$ IE6 story until recently

Flash is installed on over 90% of computers, essentially its more First party in the sense that everyone has it than Windows itself.

Macrumors.com also suffers from a cross-site scripting vulnerability. Technically I could put the link on this forum and I could steal the cookie/password of everyone on this who clicks the link.

Fortunately it wouldn't work in Safari though?

 

[MrFrankly]

Fortunately it wouldn't work in Safari though?

It works fine in Safari. Safari has no way of knowing when something is cross-site scripting or when something is legal.

 

[clevin]

Well its not, the website I noticed this on was using it legitimately. However they could have done it another way and to be honest it doesn't really have too many legitimate uses.

I know firefox patched several security holes over the years related to different sorts of XSS. I still can't tell the whole picture of this situation.

Oh well, I might digg more about this later when I have time.

 

[seashellz]

Sorry, I was busy so didn't respond, basically some pages don't display properly in Safari with the error in the web inspector of the following:

Unsafe Javascript attempt to access http://www.somewebsite.com from frame with URL http://blahblah.somewebsite.com domains, protocols and ports must match

when I clicked 'somewebsite'-I got that;
when I clicked 'blahblah' I get to the Open DNS page (using Safari)

I guess a good question would be: we live in the 21st century-why is SAFARI still allowed to be phished...?

 

[savar]

Easier said then done. While I imagine parts of QuickTime were rewritten for OS X, that doesn't mean all of it was rewritten. There is probably significant code that predates OS X and might even go back to when QuickTime was first written.

The truth is that any decent software should never be completely rewritten. It's just too expensive. The cheaper alternative is to rewrite sections of the code on a branch as you have time and resources.

This works better because at any given point in time, you always have something that works; whereas if you started over from scratch, there's a possibility that you would never ship a complete product.

 

[simX]

It was only a year ago when they threatened lawsuits against Dave Maynor over the WiFi vulnerability and against CanSecWest presenters.

Um, no. Let's recap.

Some asshat named David Maynor says that he dislikes Mac users because they're smug, which ostensibly gives him license "to stab one of those users in the eye with a lit cigarette or something". (Direct Maynor quote, BTW.) So he goes and releases a video at the Black Hat conference that shows some supposed vulnerability in Apple's AirPort drivers for the MacBook. And some hack reporter (Krebs) signs on to this supposed vulnerability with the sensational headline "How to Hack a MacBook in 30 seconds".

But then when people start asking questions, Maynor and Ellch refuse to offer details, switch their story multiple times, and don't actually produce any verifiable evidence that they've found a vulnerability. The only thing that they release to the public is that there is a "similar" vulnerability in a third-party wireless card, but there's no evidence this affects the stock MacBook card. Maynor and Ellch don't send any details about the vulnerability to Apple, and then they (this is Maynor and Ellch, not Apple) insinuate that Apple threatened their security company with legal action.

This whole charade continues for almost a year until Maynor and Ellch finally "reveal" their details, which turns out to be an exploit that had been known for a while (no thanks to Maynor and Ellch) and which Apple patched while Maynor and Ellch were fear-mongering all across the internets.

I'm sorry, but Apple handled that situation as well as they could have. Maynor and Ellch were the irresponsible ones.

As for CanSecWest 2007, there was no threatened legal action whatsoever. Where the heck did you get that misinformation? The information from the vulnerability that Dai Zovi demonstrated were disclosed in a responsible manner to Apple, and there were no theatrics as in the Maynor and Ellch case.

Dai Zovi is not an anti-Apple fanboy by any means. But to lump Maynor and Ellch into the same boat as Dai Zovi is an incredible insult to Dai Zovi. And to say that Apple was irresponsible in both these cases is just a flat-out lie.

That's not to say that Apple's attitude to security is great or even good. Both Apple and Mac users are a bit complacent about security because we've been living virus- and trojan-free ever since Mac OS X came out.

But despite the fact that the Mac platform has become pretty popular as of late, there still have been no real viruses or trojans released for the platform. There have been only three "viruses" released in the wild, where by "viruses" I mean "things that you have to manually launch, manually authorize, and manually copy to other computers in order to 'infect' them".

There's just no evidence to believe that the virus-free nature of the Mac platform is poised to change at any time in the future. The argument that the Mac's gains in popularity means that it will be increasingly targeted is fallacious — the first hacker who successfully creates and deploys a self-replicating, self-propagating virus for Mac OS X would gain incredible notoriety. But no such thing has been created yet.

So, yes, you can say that Apple is irresponsible for not being proactive at introducing more anti-hacker technologies, but Mac OS X's security record is impeccable.

 

[Eraserhead]

It works fine in Safari. Safari has no way of knowing when something is cross-site scripting or when something is legal.

That was the point I raised earlier, the domains, protocols and ports have to match for the javascript to execute.

Unless you have another way to do it that gets around that, and does that make Apples fix fairly pointless...

 

[EagerDragon]

I realize this would be a MASSIVE undertaking, but i wonder how many times you can patch possibly ancient code before we end up with buggy, inefficient software.

Not saying it's related but, for a time, my iMac would not play video and audio at the same time. This has since been fixed (via a software update), but one day i worry i'll have a project with a deadline and some security patch will shut me down. I'm all for security fixes, i applaud Apple for these. But i'm not sure i'll feel the same way when i'm spending a week in someone else's house renting computer time from them.

LOL, ask Microsoft, you would think that XP would be bug free after so many patchesover all these years. LOL.

FYI, I have never seen any software perform goodand proper validation of media. They only do so much but not the whole thing and sooner or later someone finds a new way to mangle a file and cause the browser or the media player to flip over and die. Until they go all the way there will always be problems. Players and browsers are about the least secured programs regardless of the OS, it is just their nature, functionality and performance wins over security every time.

 

[Angsty]

PS2. I noticed two updates (iTunes 7.6.2and QT 7.4.5) again are ~90MB in size.. will apple ever be able to make some partial update packages and save me some download time? or people with slow internet speed don't deserve same level of security?

LOL - or for those of us who have a download quota on their broadband plan and need to be frugal about what they download..... or suffer getting 'shaped" back to 64kb till the next bill cycle date!!

 

[simX]

LOL - or for those of us who have a download quota on their broadband plan and need to be frugal about what they download..... or suffer getting 'shaped" back to 64kb till the next bill cycle date!!

The current packages offered via Software Update are *already* "delta" packages which change only what needs to be changed.

If you have a slow internet connection or a bandwidth quota, just go to your nearest Apple retail store and ask them to burn a CD of updates for you.

 

[kaiwai]

People who need their machines to be trouble free (or at least close to it). It is not that they changed it, it is the impression of being a quick-fix. QT is a very core part of the Mac experience and includes a framework for third party plug-ins. They are probably afraid that this is a reactive change on Apple's part and that it may not of been adequately tested (as implied by the article). Even if this is completely trouble free, the quick implementation can be perceived as poor practice.
Then again for all we know, Apple has been working on this and testing for a year...

That said, I did not give it a negative, but I also abstained from a positive.

Either that, or the fact that it should have been done long ago; as soon as Leopard was released, the bundled version should have (along with everything in the operating system) compiled with ASLR. There are no excuses these days, if linux distros and Microsoft can do it, so can Apple.

 

[MrFrankly]

That was the point I raised earlier, the domains, protocols and ports have to match for the javascript to execute.

Unless you have another way to do it that gets around that, and does that make Apples fix fairly pointless...

I think you still misunderstand what cross-site scripting (XSS) actually is. XSS has nothing to do with loading scripts from a different domain. It is about code injection into a webpage. Inserting little fragments of code, usually javascript, into the normal page.
So Safari or any other browser will be unable to detect when something is XSS because it simply loads code from the same site.

 

[forever.b0rked]

....insinuate that Apple threatened their security company with legal action.

No, they didn't insinuate, they blatantly said that Apple forced them to lie about the existence of the vulnerability and threatened lawsuits against SecureWorks. They even showed emails between Apple and Maynor proving that.

This whole charade continues for almost a year until Maynor and Ellch finally "reveal" their details, which turns out to be an exploit that had been known for a while (no thanks to Maynor and Ellch) and which Apple patched while Maynor and Ellch were fear-mongering all across the internets.

Uh, IIRC Maynor and Ellch reported the vulnerabilities to Apple around time of the Blackhat presentation, long before Apple patched them.

As for CanSecWest 2007, there was no threatened legal action whatsoever. Where the heck did you get that misinformation? The information from the vulnerability that Dai Zovi demonstrated were disclosed in a responsible manner to Apple, and there were no theatrics as in the Maynor and Ellch case.

Er, my bad, I was referring to the EUSecWest incident, not CanSecWest. You are right, but I was not referring to last years PWN2OWN, I was referring to the incident where an EUSecWest presentation was canceled due to "pressure from Apple".

...Mac OS X's security record is impeccable.

Which is more by chance than anything, it certainly isn't anything Apple has done.

EDIT:

And fwiw, I don't disagree that Maynor is a FUD monger and typically turns a molehill into a mountain.

 

[137489]

Is it? You'd think that they'd rewrite it from the ground up for todays world...

Trust me, I am a programmer and worked on a lot of old systems. Sometimes it is quicker to fix and code work arounds for a situation then try to re-invent the wheel; especially when users are demanding something - or something is critical.

Example - I worked for a large laboratory company that had systems from the 1970's. It took them 4 years to re-write only a couple of systems from scratch in Java or .NET. Some systems they never finished as it was too hard for the new language to handle - and thus stuck with patching the old ones. then of course they also made a decision to switch from an easy language (MUMPS) to COBOL. takes them months to do in COBOL what we can in a couple of minutes in MUMPS.

Besides with quicktime so heavily used by external devices (like digital cameras, etc). You have to worry about compatibility issues with new revisions. Look at Microsoft and their Vista issues. Tried to completely rewrite an operating system -thus broke a lot of stuff which made unhappy users.

I think Apple is a little smarter than that - and if they do revision it, they will take the steps necessary to avoid rushing out code, like Microsoft.

 

[Virgil-TB2]

... Do you blame him?

I don't blame most of the security community for not liking Apple. They (Apple) have been unethical and irresponsible in the past when dealing with the security community and to this day, I don't know anyone that deals with the Apple security team and has anything positive to say. ...

I don't want to start a flame war (especially on such an old, dead thread), but this is absolute nonsense.

No reputable security expert with perhaps the *exception* of Dai Zovi believes anything of the sort. Notice I let out David Maynor because we are talking about *reputable* security experts.