Mac, iTunes, Quicktime and iPhone FUD Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 09/19/2008 10:09:34 PM PDT by Swordmaker
Apple fans are under attack on multiple fronts.
Security researchers have discovered an unpatched vulnerability in Apple's iTunes and QuickTime software that creates an opportunity to crash browser applications. The flaw might also open up a route to inject hostile code onto vulnerable systems, though this remains unproven.
Exploitation of the flaw in either case involves tricking surfers into opening a maliciously constructed QuickTime tag contained on a web page or embedded in an MP3 and video clip file. Security clearing house US CERT rates the buffer overflow-based flaw - which affects Apple QuickTime 7.5.5 and iTunes 8.0 - as a high risk bug.
Apple posted an update for QuickTime addressing earlier bugs only last week. The consumer electronic giant is yet to respond to the latest security flap involving its iTunes software, following the publication of an alert by US CERT on Thursday.
In other Apple-related security news, miscreants have disguised a Windows Trojan as a game for the Apple iPhone. The malware appears as an attachment in spam emails doing the rounds that appear with subject lines such as "Virtual iPhone games!" and "Apple: The most popular game!". Windoze users credulous enough to open the infected attachment 'Penguin.Panic.zip' will end up loading the Agent-HNY Trojan onto their systems.
The malware has no effect when opened on either a Mac or Jesus Phone, as explained in a write-up of the attack of a Sophos security blog here. ®
We are??? We haven't noticed.
Apparently, since new Macs and Macbooks are expected possibly as soon as next week, FUD season has opened.
If you want on or off the Mac Ping List, Freepmail me.
"Welcome to the party, PAL!!"
OSX vulnerable to malicious attacks again
Heap overflow leaves Apple naked
By Aharon Etengoff: Friday, 19 September 2008, 9:05 AMINSECURITY OUTFIT Intego has discovered a critical bug that leaves OSX vulnerable to malicious attacks.
Indeed, Apple's QuickTime player reportedly fails to properly process extended media streams. This shocking deficiency leads to nasty heap overflows that occur in QuickTime Player, iTunes and Mail.
The media streaming error also affects a number of Web browsers running on the platform, including Safari, Internet Explorer and Firefox.
The serious flaw has apparently left QuickTime vulnerable to infected media files designed to execute malicious code or crash a browser.
It should be noted that Club Cupertino issued its latest QuickTime band-aid only last week. In addition, OSX Leopard 10.5.5, released on 15 September, fixed a whopping 33 bugs, nine of which enabled remote code execution.
Is that laughter we hear from Redmond?
They are ignoring the fact that OS X's data stack and heap are non-executable. Oh well. The worst that should happen is crashing the application.
Read the article. The Trojan is a WINDOWS trojan and will not run on a Mac or on an iPhone. It is transmitted by email... which can be received on a Mac, an iPhone, or Windows PC. Only the last will be impacted by this. Therefore, Mac users are not being besieged by this malware, Windows users are!
Apple's QuickTime under fire - again
Just after Apple updated its QuickTime media software to version 7.5.5, a fresh vulnerability has been revealed along with a proof-of-concept exploit.QuickTime is Apple's software component for media playback. It was ported to Windows many years ago to allow developers to use it to create cross-platform multimedia products and web sites.
Apple last week released QuickTime 7.5.5 featuring "changes that increase reliability, improve application compatibility and enhance security."
The security flaws it corrected related to various memory access or corruption issues, or heap buffer, stack buffer or integer overflow issues.
The QuickTime update accompanied iTunes 8.
The new flaw was revealed by a milw0rm.com user going by the name 'securfrog'.
According to securfrog, "The "" tag fail to handle long strings, which can lead to a heap overflow in Quicktime/Itunes media player [sic]."
This heap overflow results in a crash, but securfrog suggests "Code execution may be possible." The trick would be to craft an exploit so that the overflow results in the execution of code previously delivered by the attacker. [That is the trick... how does the hacker get his "previously delivered" code on the Mac in the first place? - Swordmaker]
The problem with QuickTime vulnerabilities is that the software is used so pervasively by Mac OS X. With a few exceptions, programs that need to play audio or video content do so via QuickTime.
Examples include iMovie, iTunes and (naturally) QuickTime Player. And when a user visits a web page containing graphics, movies or audio, the browser most likely calls on QuickTime to handle display or playback.
Ever received an email with an embedded movie or sound clip? QuickTime almost certainly played it for you.
QuickTime is even used in the Finder. Ever used the preview feature in Quick Look or in a Get Info window? That's QuickTime at work again.
The sample exploit provided by securfrog only causes a crash, and so is more likely to be a nuisance than anything else. But until the flaw is fixed, the possibility of a more dangerous exploit will remain.
Furthermore, securfrog points out that QuickTime parses headers contained in a file sent to it for processing even if the headers do not correspond to the file's type: "so you can put some xml in a mp4, mov,etc and open it with quicktime or you can do the same in some html page [sic]".
The pervasiveness of QuickTime means that suggestions from some quarters that the QuickTime browser plugin should be disabled until Apple releases a patch will have limited effectiveness.
While it would stop a malicious file embedded in a web page from triggering a crash, there are so many other situations that QuickTime is used with downloaded content that it would at best be a band-aid solution.
Furthermore, the loss of functionality would be so severe that it would not be a viable strategy for many users.
Code used to handle media files has proved a fertile hunting ground for security researchers, with Apple, Microsoft and other vendors having released multiple updates to handle such flaws once they are uncovered.
bookmark
Windoze users credulous enough to open the infected attachment 'Penguin.Panic.zip' will end up loading the Agent-HNY Trojan onto their systems. The malware has no effect when opened on either a Mac or Jesus Phone.Jesus Phone? That kind of phraseology makes people cross.
I went shopping for a Mac yesterday, went to the salesman and asked him what’s coming up, and he was forthcoming about some of the rumors he had heard; nothing definite, but it was quite a confirmation that it is a good time to sit on your hands if you are tempted to buy one right now.
Also, getting the current ones when they get discontinued and marked down might not be bad...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.