Mac hack was via QuickTime

[theBB]

It turns out that the last weekend's well publicized remote hack into Mac was due to the way QuickTime handles Java. They say it affects any web browser where QuickTime handles Java, Firefox or Safari, and they say even if you are using Windows and have QuickTime installed. It is not a bug in the OS or Safari, but QuickTime. The one program from Apple I never liked much...

The only protection at the moment seems to be disabling Java (not Javascript) in browser preferences.

More info:

http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/

Maybe we should update front page info...

 

[BilltheCat]

so isnt this defeated by simply disablement of Java? Od does it require Java and QT to be disabled?

This is the first really credible vulnerability I have heard about and nothing is being said!

no updates available from apple, no word from QT project either. Java should have at least something to say!

 

[theBB]

so isnt this defeated by simply disablement of Java? Od does it require Java and QT to be disabled?

I believe disabling just Java is enough. If Java is disabled, Safari never invokes QuickTime to handle the malicious code.

 

[clevin]

I believe disabling just Java is enough. If Java is disabled, Safari never invokes QuickTime to handle the malicious code.

how to disable java in osx?

 

[savar]

how to disable java in osx?

Disable it in the Safari preferences.

 

[clevin]

Disable it in the Safari preferences.

errr... if the bug requires combination of safari AND java, then I guess I don't need to bother since im not using safari?

PS, i was thinking the system wide java functions, maybe its not the case.

 

[theBB]

errr... if the bug requires combination of safari AND java, then I guess I don't need to bother since im not using safari?

PS, i was thinking the system wide java functions, maybe its not the case.

No, it is not a combination of Safari and QuickTime. It is just QuickTime. As long as your web browser uses QuickTime to handle Java, you are vulnerable. Using Firefox by itself is not a defense.

 

[clevin]

No, it is not a combination of Safari and QuickTime. It is just QuickTime. As long as your web browser uses QuickTime to handle Java, you are vulnerable. Using Firefox by itself is not a defense.

im confused, i think java has its own plug-in for firefox? why is quicktime even involved here? ....

 

[theBB]

im confused, i think java has its own plug-in for firefox? why is quicktime even involved here? ....

I don't know, I am just repeating what I read in that website. BTW, I don't think FF has its own plug-in, as I kind of remember having to download something on Windows side.

 

[elppa]

The one program from Apple I never liked much...

Quicktime is more than a program / application.

It is an absolute vital component of the graphics architecture of Mac OS X.


It's changed a bit since, as the link will show, but this is how the System Architecture looks from a high level perspective.

 

[KurtangleTN]

If I were the guys who knew the exploit i'd closely guard it just to sell to Apple. Is that legal?

If so, I'd also by hyping it a little better too.

 

[daveL]

If I were the guys who knew the exploit i'd closely guard it just to sell to Apple. Is that legal?

If so, I'd also by hyping it a little better too.

You sound just like the kind of person that makes the world what it is today.

 

[savar]

im confused, i think java has its own plug-in for firefox? why is quicktime even involved here? ....

Here's my understanding:

The flaw is in Quicktime, specifically in code that is accessible by library call -- meaning code that other developers use to include QT technology in their own programs.

Apple has connectors from Java to Quicktime in it's implementation of Java, and the bug in QuickTime is accessible through these connectors. Thus, any application which uses this Java implementation can be used to pull of this exploit.

For many years now, Apple's Java implementation has been the only one available for Mac OS. Sun gave up on their port in the mid to late 90s as best as I can recall. So pretty much any app which uses Java (this could include a non-browser app, by the way...see Applet Runner) is vulnerable.

The exploit itself is not critical, though. Exploiting a browser is small potatoes because the browser usually (unless you modified your setup) runs as if it were a user. That means it has the same access to files that you do. So somebody using this exploit could erase your user data, but could not touch any system files or other users' files on the system.

Still, I'm glad somebody caught this. It really reflects how -- despite the attention Apple pays to security issues -- many layers of complex software can leave very tiny holes for crackers to wiggle through. It's extremely hard to be 100% safe, and having scrutiny on Mac OS (especially the non open-source parts) is good if it teaches us this lesson.

 

[clevin]

your analysis sounds reasonable, altho I am not sure if its correct.

but if this is the case, disable java in safari's preference won't solve the system-wide java implementation.

then came back the same question i asked, exactly how to disable java system-wide?

BYW. i checked SUN's website, it told me my java is out of date, so i guess SUN does provide newer version of java for OSX.

 

[DrRock]

^

So, from what I'm reading, this only affects macbooks? Not power macs?

 

[mkrishnan]

I'm not in front of a Mac, but I think you have to disable Java from the Java preferences tool that is buried in the /applications/utilities/ folder alongside the other Java utilities.

Also, while Savar's analysis is excellent, I think the part about Java-QT connectors on the Java side is incorrect. From what everyone else says, this is purely a problem in which Java passes code / calls to QT (on any platform, using anyone's version of Java), and QT does not correctly protect itself from the possibly malicious content of those calls.

DrRock, no, this affects any computer running Windows or MacOS, in any revision, when Java and Quicktime are installed and enabled.

 

[theBB]

but if this is the case, disable java in safari's preference won't solve the system-wide java implementation.

Unless I click on a website that includes Java in it, I don't think I am likely to be interacting with random Java code. BTW, I use NeoOffice, which I believe uses Java extensively, so I'd rather not disable Java completely. Afterall, any app can erase your user data completely and there is no way to stop that. The only protection is installing only trustworhty apps. This protection breaks down on the web, as it is more difficult to be that selective about which sites to visit and which links to follow.

 

[mkrishnan]

Actually, when it comes to Firefox, there *are* "enable Java" and "enable Javascript" separate items in the content tab. So, at least in FF, you can turn Java off for FF only, which should address the issue.

 

[theBB]

Actually, when it comes to Firefox, there *are* "enable Java" and "enable Javascript" separate items in the content tab. So, at least in FF, you can turn Java off for FF only, which should address the issue.

Same with Safari...

 

[mkrishnan]

So I think the deal is that, as long as you do not have another source of untrusted Java execution, disabling Java (NOT javascript) in your browser should be enough to safeguard you on this front, right? Not that I'm really sure you even need to do that...