Security Update 2006-008 Available

[MacRumors]

Apple has released Security Update 2006-008 for Mac OS X 10.4.8 (client and server). The 1.8 MB update addresses a vulnerability in Quicktime for Java and Quartz Composer.

It appears as though the update fixes a vulnerability where a specially-crafted Java applet could obtain images rendered on screen by embedded QuickTime objects and upload them to the originating website. Because QuickTime can be used in conjunction with Quartz Composer, this could theoretically allow a hacker to craft a applet that could obtain an attached (or built-in) iSight camera's images. While external iSight cameras have the ability to physically close an iris and turn the camera off, built-in iSight cameras (such as on the MacBook, MacBook Pro, and iMac) can not be physically turned off.

More detailed information can be found via this tech note.

 

[longofest]

I knew having a non-turn-offable camera would come back to haunt Apple. At least this vulnerability was fixed, but I wonder if there are other back-doors. Will MOAB find any???

 

[mkrishnan]

Is this Quicktime vulnerability related in any way to the infamous MySpace quicktime vulnerability?

 

[longofest]

Is this Quicktime vulnerability related in any way to the infamous MySpace quicktime vulnerability?

Doesn't look like it.

 

[IEatApples]

Hehe... Scary bug. 🙂

Oh, and it's 2,7 MB on my iMac G5, and you need to restart!

 

[aspro]

Haha, any hacker would get a very uninteresting shot out of my built-in iSight.

It's 2.7mb on my Macbook as well.

 

[longofest]

Heh... says 1.5 MB on Apple's site. Fixed the article to be more arbitrary. Size doesn't matter 😉

 

[mainstreetmark]

This might be the only case I ever heard of where you can say "I didn't really fix the bug, but I put a bandaid on it" (over the camera lense)

 

[nagromme]

It's my understanding that although there's no iris, there's ALSO no way--due to the electrical design of the iSight--to have the camera turned on without the green On Air light also being on. So at least you always have warning when an app is using the camera. Further clarifcations welcomed.

 

[plinden]

Could people read the description on Apple's website carefully and tell me if I'm totally wrong in thinking that this has nothing at all to do with iSight, and everything to do with being able to retrieve images that are being rendered on screen by Quicktime?

And is it a new policy now for Apple to provide plenty of details about the fix, even if it's being misunderstood (by me or the Macrumors adminstrator who posted this)

 

[Viv]

Such a little update for such a big issue🙂

Installed ok seemed to boot faster and Safari seems snappier;-)

 

[longofest]

It's my understanding that although there's no iris, there's ALSO no way--due to the electrical design of the iSight--to have the camera turned on without the green On Air light also being on. So at least you always have warning when an app is using the camera. Further clarifcations welcomed.

That is theoretically correct. Basically, that's what Steve said when he introduced the built-in version without the Iris. However, I hesitate to say 100% definitive statements like "no way". For instance, what if the LED actually burns out or looses contact? The hardware may still be sending the signal for it to turn on, but I don't know if it would be smart enough to realize that the LED isn't operating correctly and therefore the iSight shouldn't operate. In such a case, you may see the iSight work and the LED not illuminate.

I'm just hypothesizing, but trying to prove my point that its dangerous to say 100% definitive things 🙂

 

[banjomamo]

I bought my mom an iMac a month ago and she specifically asked me if something like this could happen. Mothers always know.

 

[longofest]

Could people read the description on Apple's website carefully and tell me if I'm totally wrong in thinking that this has nothing at all to do with iSight, and everything to do with being able to retrieve images that are being rendered on screen by Quicktime?

You have to read into what they are saying a bit. The update is for both QuickTime AND Quartz Composer. Quartz Composer can be used to control an iSight, so when you use it in conjunction with Quicktime, you could actually write an applet on a webpage that displays your iSight imagery. Now, theoretically those images should only be viewable on your screen and not accessible to the remote web server, but the vulnerability was that Quicktime for Java could actually grab the Quartz Composer images. Thus, it could grab your iSight images.

If you have an iSight, you can go to the following website to see how Quartz Composer can control your iSight on a website. Its OReilly's site, so while I can't 100% guarantee that it doesn't contain malicious code, I think we should be pretty safe. At least, the site doesn't appear to use Quicktime for Java, which is where the vulnerability is. http://www.oreillynet.com/lpt/wlg/7409

 

[IEatApples]

I'm just hypothesizing, but trying to prove my point that its dangerous to say 100% definitive things 🙂

But you're not 100% sure? 😀 😉

 

[840quadra]

You could always use White out, or a white strip of tape..

I have only "used" my iSight camera on my macbook once. Otherwise it is wasted hardware. 🙁

 

[IEatApples]

You could always use White out, or a white strip of tape..

I have only "used" my iSight camera on my macbook once. Otherwise it is wasted hardware. 🙁

NOT TRUE!

I use my iSight all the time.

 

[longofest]

But you're not 100% sure? 😀 😉

I'm about 95%

 

[840quadra]

NOT TRUE!

I use my iSight all the time.

That's fine, and good for you 🙂

I was actually talking about my isight in my MacBook 😉 .

I'm about 95%

Now, how unsure are you about the other 5% ?

 

[IEatApples]

That's fine, and good for you 🙂

I was actually talking about my isight in my MacBook 😉 .

😀 Sorry!!! 😛 😉

 

[japanime]

I use my MacBook in closed-lid mode, attached to an iSight-less external monitor.

Problem solved! 😀

 

[SiliconAddict]

I knew having a non-turn-offable camera would come back to haunt Apple.

Who cares? seriously. The light comes on, on the camera when its on. In any case you will know when its in use.

 

[SeaFox]

Apple has released Security Update 2006-008 for Mac OS X 10.4.8 (client and server). The 1.8 MB update addresses a vulnerability in Quicktime for Java and Quartz Composer.

It appears as though the update fixes a vulnerability where a specially-crafted Java applet could obtain images rendered on screen by embedded QuickTime objects and upload them to the originating website. Because QuickTime can be used in conjunction with Quartz Composer, this could theoretically allow a hacker to craft a applet that could obtain an attached (or built-in) iSight camera's images. While external iSight cameras have the ability to physically close an iris and turn the camera off, built-in iSight cameras (such as on the MacBook, MacBook Pro, and iMac) can not be physically turned off.

In related news, it has been announced the Month of OSX Bugs will not start until January 2nd, but will still end January 31st.

 

[SeaFox]

It's my understanding that although there's no iris, there's ALSO no way--due to the electrical design of the iSight--to have the camera turned on without the green On Air light also being on. So at least you always have warning when an app is using the camera. Further clarifcations welcomed.

Since the camera only has to be on long enough to capture an image, it could take a still image and only be on as long as the "shutter", which might be hard to catch if you're not paying attention. One of those things where you might "think you saw it" but then convince yourself you were imagining things.

 

[DavidLeblond]

That's fine, and good for you 🙂

I was actually talking about my isight in my MacBook 😉 .

I use your iSight all the time.

Which reminds me, don't download that software update please, you're interesting to watch.