Apple Closes iSight Security Hole

Gruber Duckie writes "Apple's security update 2006-008, posted yesterday, is a little more interesting than it sounds. According to information (and a demo!) posted at Macslash the "information leak" mentioned in Apple's advisory actually makes it possible for a web site to send whatever your (isight) web cam sees up to the server. I'm glad they fixed this quickly."

Why this is interesting

[daveschroeder]

Of course, an application running on your local machine can do anything it wants. So it's not surprising that a malicious Java applet/application could, well, do malicious things.

For those who don't know, a Quartz Composer composition saved as a QuickTime movie can display the iSight image locally. Since QuickTime movies can be embedded in web pages, you can create a movie that displays the *local* iSight image back to the person, locally. Nifty, right?

But is interesting is that via Java hooks in QuickTime for Java, a Java applet could be used in conjunction with this Quartz Composer movie to do anything that a Java applet could instruct QuickTime to do - including take a shot of whatever is being displayed in the QuickTime movie - and then do anything else a Java applet could be designed to do - in this case, potentially send that image somewhere.

So, this could be done on any platform with a camera, since all it is is malware running to perform a specific task.

But what's more interesting is:

- All Mac OS X systems will always have QuickTime, and thus always have the capability to run such a composition
- All Apple laptops have cameras that cannot be easily disabled (of course (unless the LED is burnt out) due to the way the iSight is set up electrically, the green light will always be on when in use)

The ubiquitousness of iSight camera is what makes this little trick interesting. It also raises issues such as: why didn't Apple offer an option to delete the camera (especially for government/military customers, as other vendors, like Palm, do), and why didn't Apple offer a mechanical shutter for the iSight on all models?

In any case, it's fixed with Security Update 2006-008, but a legitimate Java application, i.e., one you trust, could still do just that. Which stands to reason, of course, since code running on your machine - even if instantiated by a web page - can really do anything that you have permission to do, including delete files. That's the nature of applications.

One other note: you can indeed disable the iSight by (re)moving: /System/Library/Extensions/Apple_iSight.kext /System/Library/QuickTime/QuickTimeUSBVDCDigitizer .component

In sum, the reason why this is interesting is because of the ubiquitousness of the Apple iSight on Apple laptops and the fact that it's ready for use. But, someone still has to visit a malicious site and run a malicious Java applet - user interaction: the hallmark of Mac OS X vulnerabilities!

Re:and...

[petard]

Apple reserves blocks of CVE numbers in advance, without necessarily having a problem report that matches up. They were told about this on 01 December.

Re:Keep their little heads in the sand.

[delire]

Yes I realise I just had an RTFA parse error..

No security hole -- RTFrigginA

[Deep Fried Geekboy]

If Cmdr Taco had actually read the friggin' MacSlash article he links to, and scrolled down to the comments, he'd see that the 'exploit' is not fixed by this patch and what's more, doesn't send info to the server. Fer feck's sake.

just like flash?

[zen611]

Doesn't flash do this already? As a "feature"?

Re:No security hole -- RTFrigginA

[annodomini]

And if you had read the Security Advisory [apple.com], you would have seen that the problem they were fixing was about data being sent to the server and was fixed. They did not remove quartz composer functionality from Quicktime movies, so the movies you can download that show you to yourself, possibly with some effects added, still work (and are still a little creepy), but they only display the picture locally. What they did was remove the functionality from unsigned Java applets to embed such movies, because those applets could take the image produced by Quicktime and send it back to the server, which was a real problem.

Re:No security hole -- RTFrigginA

[99BottlesOfBeerInMyF]

What they did was remove the functionality from unsigned Java applets to embed such movies, because those applets could take the image produced by Quicktime and send it back to the server, which was a real problem.

Yeah, too bad Sun announced yesterday [sun.com] a flaw in all their runtime environments that allows untrusted applets to access data from trusted applets. I don't think Apple has squashed that one, so there is still some potential for mischief.

Re:Security Hole?

[LurkerXXX]

Psst, hey anonymous troll. MS used to release patches at random intervals as soon as they were ready as well. They did that for many years. Their huge corporate clients asked them to consolidate the patches to a regular interval so that their tech staff could test and roll them out in synch, saving tons of time testing all their regular and custom built in-house apps with each patch that MS released to make sure nothing broke, then rolling them out to thousands of machines, then testing all their stuff again 3 days later when another patch rolled out, then 5 days later when another patch rolled out, etc, etc.

Patch Tuesday was because of customer requests. This isn't 'competition' against patch tuesday.

Re:And images of

[djh101010]

Dude, this was on a Mac... no games. duh

Ignorance, or humor? It's so, so hard to tell. And besides, I could always boot the thing into Windows if I wanted. But by all means, don't let actual facts get in the way of your ignorance and/or joke. /me waits for "one button mouse" comment/

Re:Why this is interesting

[daveschroeder]

I should also note that, for government/military customers, Apple does have a contractor that can physically disconnect the iSight and internal microphone as part of the procurement process, and meets GSA schedules and requirements for "no-camera" or "no-microphone" environments; additionally, infrared, Bluetooth, and AirPort can also be disabled. This does not void any waranties. That contractor is:

Holmans [holmans.com]
6201 N. Jefferson Ave
Albuquerque, NM 887109
Tony Greiner
505 343 3529
tgreiner@holmans.com

GSA schedule GS-35F-0341N
DOE authorized (LLNL and LANL)
DOE "L" clearance personnel

For individual customers, any Apple Authorized Service Provider [apple.com] can disconnect any or all of the above components, and are happy to accommodate such requests. Such requests also do not void warranties.

Again, these components can all be disabled by software means in managed environments where physical disconnection/removal of the device(s) is not a requirement.

I should note that this trick could technically be done any any platform with a camera: run malicious software designed to send imagery from an attached camera somewhere. But in the case of Mac OS X on Apple hardware, it becomes interesting because Apple has already done all the work to drive the camera and display within QuickTime (via Quartz Composer, the integrated camera and drivers, and so on), and then QuickTime for Java can be used via a malicious Java application or applet (which still has to be run, of course) to send images remotely. After Security Update 2006-008, a Java applet (unless it is a signed applet that is specifically allowed by the user) can no longer make such such calls to QuickTime for Java.

Re:Security Hole?

[LurkerXXX]

Some security holes are reported to the public by security researchers, etc. But lots of them are security holes MS finds themselves, or are reported to them in private by security researchers (giving them a fair amount of time to fix them before they would be made public).

When MS releases a patch to fix one of those MS-only-new-about holes, hackers do quick diffs, etc between them and the original files to find out what exactly the hole was that MS was patching. They then write an exploit for it and release it on the net (to take over machines for bot-armies, do corporate espionage, etc). This happens within a day or a few days of the patch release. If a company doesn't bother testing and rolling out those patches until a bunch of them accumulate, they are going to leave a nice big window of attack for the bad guys.

Re:Tape War

[rahrens]

Once they get the camera pixel patent into production, and the entire screen surface is the camera lens, that won't work! (unless you just don't wanna watch TV!)

Re:And images of

[aristotle-dude]

Actually, Photoshop (for the Mac) is compiled for a PPC processor. On an Intel Mac it runs through Rosetta (the PPC emulator built into OS X). For now, Photoshop users would be better served by keeping their PPC Macs.

The Beta of CS3 was released on Friday as a Universal binary.

Re:Security Hole?

[toddestan]

I've run into a few, usually their "proof" revolves around there being no widespread viruses and malware out in the wild for the Mac like there is for Windows.

Re:Security Hole?

[Anonymous Coward]

When the camera was turned off, the shutter closed.

Actually you opened or closed the shutter by rotating the front lens (a physical interlock, so it was impossible to open the shutter in software).