Mac hack was via QuickTime

Discussion in 'Mac Apps and Mac App Store' started by theBB, Apr 24, 2007.

  1. theBB macrumors 68020

    theBB

    Joined:
    Jan 3, 2006
    #1
    It turns out that the last weekend's well publicized remote hack into Mac was due to the way QuickTime handles Java. They say it affects any web browser where QuickTime handles Java, Firefox or Safari, and they say even if you are using Windows and have QuickTime installed. It is not a bug in the OS or Safari, but QuickTime. The one program from Apple I never liked much... :)

    The only protection at the moment seems to be disabling Java (not Javascript) in browser preferences.

    More info:

    http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/

    Maybe we should update front page info...
     
  2. BilltheCat macrumors regular

    BilltheCat

    Joined:
    Jan 14, 2007
    Location:
    Sanford FL
    #2
    so isnt this defeated by simply disablement of Java? Od does it require Java and QT to be disabled?

    This is the first really credible vulnerability I have heard about and nothing is being said!

    no updates available from apple, no word from QT project either. Java should have at least something to say!
     
  3. theBB thread starter macrumors 68020

    theBB

    Joined:
    Jan 3, 2006
    #3
    I believe disabling just Java is enough. If Java is disabled, Safari never invokes QuickTime to handle the malicious code.
     
  4. clevin macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #4
    how to disable java in osx?
     
  5. savar macrumors 68000

    savar

    Joined:
    Jun 6, 2003
    Location:
    District of Columbia
    #5
    Disable it in the Safari preferences.
     
  6. clevin macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #6
    errr... if the bug requires combination of safari AND java, then I guess I don't need to bother since im not using safari?

    PS, i was thinking the system wide java functions, maybe its not the case.
     
  7. theBB thread starter macrumors 68020

    theBB

    Joined:
    Jan 3, 2006
    #7
    No, it is not a combination of Safari and QuickTime. It is just QuickTime. As long as your web browser uses QuickTime to handle Java, you are vulnerable. Using Firefox by itself is not a defense.
     
  8. clevin macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #8
    im confused, i think java has its own plug-in for firefox? why is quicktime even involved here? ....
     
  9. theBB thread starter macrumors 68020

    theBB

    Joined:
    Jan 3, 2006
    #9
    I don't know, I am just repeating what I read in that website. BTW, I don't think FF has its own plug-in, as I kind of remember having to download something on Windows side.
     
  10. elppa macrumors 68040

    elppa

    Joined:
    Nov 26, 2003
    #10

    Quicktime is more than a program / application.

    It is an absolute vital component of the graphics architecture of Mac OS X.


    It's changed a bit since, as the link will show, but this is how the System Architecture looks from a high level perspective.

    [​IMG]
     
  11. KurtangleTN macrumors 6502a

    Joined:
    Apr 2, 2007
    #11
    If I were the guys who knew the exploit i'd closely guard it just to sell to Apple. Is that legal?

    If so, I'd also by hyping it a little better too.
     
  12. daveL macrumors 68020

    daveL

    Joined:
    Jun 18, 2003
    Location:
    Montana
    #12
    You sound just like the kind of person that makes the world what it is today.
     
  13. savar macrumors 68000

    savar

    Joined:
    Jun 6, 2003
    Location:
    District of Columbia
    #13
    Here's my understanding:

    The flaw is in Quicktime, specifically in code that is accessible by library call -- meaning code that other developers use to include QT technology in their own programs.

    Apple has connectors from Java to Quicktime in it's implementation of Java, and the bug in QuickTime is accessible through these connectors. Thus, any application which uses this Java implementation can be used to pull of this exploit.

    For many years now, Apple's Java implementation has been the only one available for Mac OS. Sun gave up on their port in the mid to late 90s as best as I can recall. So pretty much any app which uses Java (this could include a non-browser app, by the way...see Applet Runner) is vulnerable.

    The exploit itself is not critical, though. Exploiting a browser is small potatoes because the browser usually (unless you modified your setup) runs as if it were a user. That means it has the same access to files that you do. So somebody using this exploit could erase your user data, but could not touch any system files or other users' files on the system.

    Still, I'm glad somebody caught this. It really reflects how -- despite the attention Apple pays to security issues -- many layers of complex software can leave very tiny holes for crackers to wiggle through. It's extremely hard to be 100% safe, and having scrutiny on Mac OS (especially the non open-source parts) is good if it teaches us this lesson.
     
  14. clevin macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #14
    your analysis sounds reasonable, altho I am not sure if its correct.

    but if this is the case, disable java in safari's preference won't solve the system-wide java implementation.

    then came back the same question i asked, exactly how to disable java system-wide?

    BYW. i checked SUN's website, it told me my java is out of date, so i guess SUN does provide newer version of java for OSX.
     
  15. DrRock macrumors regular

    Joined:
    Jun 18, 2005
    #15
    ^

    So, from what I'm reading, this only affects macbooks? Not power macs?
     
  16. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #16
    I'm not in front of a Mac, but I think you have to disable Java from the Java preferences tool that is buried in the /applications/utilities/ folder alongside the other Java utilities.

    Also, while Savar's analysis is excellent, I think the part about Java-QT connectors on the Java side is incorrect. From what everyone else says, this is purely a problem in which Java passes code / calls to QT (on any platform, using anyone's version of Java), and QT does not correctly protect itself from the possibly malicious content of those calls.

    DrRock, no, this affects any computer running Windows or MacOS, in any revision, when Java and Quicktime are installed and enabled.
     
  17. theBB thread starter macrumors 68020

    theBB

    Joined:
    Jan 3, 2006
    #17
    Unless I click on a website that includes Java in it, I don't think I am likely to be interacting with random Java code. BTW, I use NeoOffice, which I believe uses Java extensively, so I'd rather not disable Java completely. Afterall, any app can erase your user data completely and there is no way to stop that. The only protection is installing only trustworhty apps. This protection breaks down on the web, as it is more difficult to be that selective about which sites to visit and which links to follow.
     
  18. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #18
    Actually, when it comes to Firefox, there *are* "enable Java" and "enable Javascript" separate items in the content tab. So, at least in FF, you can turn Java off for FF only, which should address the issue.
     
  19. theBB thread starter macrumors 68020

    theBB

    Joined:
    Jan 3, 2006
    #19
    Same with Safari...
     
  20. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #20
    So I think the deal is that, as long as you do not have another source of untrusted Java execution, disabling Java (NOT javascript) in your browser should be enough to safeguard you on this front, right? Not that I'm really sure you even need to do that...
     

Share This Page