Apple Closes iSight Security Hole

Gruber Duckie writes "Apple's security update 2006-008, posted yesterday, is a little more interesting than it sounds. According to information (and a demo!) posted at Macslash the "information leak" mentioned in Apple's advisory actually makes it possible for a web site to send whatever your (isight) web cam sees up to the server. I'm glad they fixed this quickly."

Security Hole?

[Billosaur]

Or cleverly disguised attempt to monitor people by the Department of Homeland Security? You be the judge!

Re:Security Hole?

[D-Cypell]

You be the judge!

Can I be the clandestine military tribunal?

Oblig. Buckaroo Banzai quote

[transporter_ii]

Laugh-a while you can monkey boy.





Which is kind of fitting with the Buckaroo article on the front page yesterday!

Transporter_ii

Re:Security Hole?

[TheRaven64]

In his book, 1984, George Orwell proposed the idea of television screens that also acted as camera and allowed a remote viewer to monitor whatever was going on in front of them.

In the year 1984, Apple Computers released an advert for the first Mac with the slogan 'Why 1984 won't be like 1984.'

In the year 2005, Apple Computers released the new iMac, a device with a display screen and integrated camera which allowed a remote viewer to monitor whatever was going on in front of it.

Re:

[peragrin]

I believe it's apple but it could be another company but someone has a patent for inserting a photo receptor along side of LCD color pixels.

by using software to combine the image the screen could literally be the camera.

Good for video conferencing, useful for general security(bars and vegas could suddenly have more camera's at various angles at their disposal), totally 1984.

Re:

[Billosaur]

In the year 2005, Apple Computers released the new iMac, a device with a display screen and integrated camera which allowed a remote viewer to monitor whatever was going on in front of it.

And in the year 2011, iMacs and iPods will join together in a cyber-network to battle the ultra-powerful PS3 collective. Oops... you weren't supposed to know about that...

Re:

[geobeck]

And in the year 2011, iMacs and iPods will join together in a cyber-network to battle the ultra-powerful PS3 collective.

"Those helmets weren't designed to handle this level of rock'n'roll!" -PS3 (Plankton, Sheldon the Third)

C'mon, we all know the iPods will win with music, right?

Tape War

[bill_mcgonigle]

In the year 2005, Apple Computers released the new iMac, a device with a display screen and integrated camera which allowed a remote viewer to monitor whatever was going on in front of it.

Your Orwellian society is defeated by a piece of tape.

Re:

[Yvan256]

Your Orwellian society is defeated by a piece of tape.

And some CD DRM is defeated by a Sharpie marker.

Isn't technology great? In the future, Red Green [redgreen.com] is going to rule the world!

Re:

[FLEB]

How about Post-Its? I use a Post-it.

Re:

[rahrens]

Once they get the camera pixel patent into production, and the entire screen surface is the camera lens, that won't work! (unless you just don't wanna watch TV!)

Re:

[Nefarious Wheel]

Seriously, how can anybody be sure that everything you have ever done on your computer, since the advent of the internet, hasn't been recorded and cached somewhere, for later analysis...

Golly! I have an audience to play to?

Re:Security Hole?

[LurkerXXX]

Psst, hey anonymous troll. MS used to release patches at random intervals as soon as they were ready as well. They did that for many years. Their huge corporate clients asked them to consolidate the patches to a regular interval so that their tech staff could test and roll them out in synch, saving tons of time testing all their regular and custom built in-house apps with each patch that MS released to make sure nothing broke, then rolling them out to thousands of machines, then testing all their stuff again 3 days later when another patch rolled out, then 5 days later when another patch rolled out, etc, etc.

Patch Tuesday was because of customer requests. This isn't 'competition' against patch tuesday.

Re:

[internic]

While what you're saying might well be true, I really don't understand the logic. If MS released patches continuously as they were completed, how would this stop major corporations from testing and deploying them on a regular cycle? Couldn't the corporation equally well still have a "patch Tuesday" where the collect all the current, undeployed patches and begin the process of testing and deploying them? All patches that became ready later than that would be processed in the next cycle. If MS released p

Re:

[LurkerXXX]

Some security holes are reported to the public by security researchers, etc. But lots of them are security holes MS finds themselves, or are reported to them in private by security researchers (giving them a fair amount of time to fix them before they would be made public).

When MS releases a patch to fix one of those MS-only-new-about holes, hackers do quick diffs, etc between them and the original files to find out what exactly the hole was that MS was patching. They then write an exploit for it and rele

Re:

[internic]

That makes some sense, but it does rely on a number of assumptions: For example, if one could only discover how to exploit a vulnerability by looking at the patch, then this policy would clearly be well justified. In reality, some vulnerabilities will be announced by others before they are patched by MS, and people will devise exploits from those announced vulnerabilities or may find for themselves and exploit some of the vulnerabilities that MS is sitting on the patches for. In the end, whether the "pat

Re:

[TheRaven64]

Sometimes, someone (malicious) outside MS finds a security hole and exploits it. This is called a zero-day vulnerability, since exploits are available from day 0.

More often, either a reputable security firm or someone inside MS finds a flaw. If they are outside the company, then they go through normal notification channels. Microsoft then release a patch fixing the vulnerability. At this point, a load of crackers install the patch and then diff their new system against the old one. They can then nar

Re:Security Hole?

[djh101010]

That's going to keep me laughing a long time. ESPECIALLY at the mac zealots out there (those who believe it was the perfectly secure OS,

You know, it's funny. The ONLY people I ever see who say "perfectly secure" or "bulletproof", are people like you. Maybe you just don't read clearly and you think Mac folks actually are saying it, or maybe you're just an AC trying to stir up discussion. So are you ignorant, or are you lying?

Re:Security Hole?

[Skuld-Chan]

He does have a point. I was in the Apple store only a month ago where an Apple salesman was telling me they have a totally secure OS that doesn't get viruses and is hacker proof (his words). I don't have my own Mac (I have one at work), but I was doubtful to his claims. I can see however how an unsuspecting consumer might buy into that.

So no - I heard this from an actual Apple employee that OSX is "perfectly secure".

To be honest they only people I've heard this claim from are Apple sales people and Apple employees at conventions (I work for a software developer).

Re:Security Hole?

[Moofie]

And you should always take every word that comes out of a salesperson's mouth as the gospel truth, and not apply common sense ever.

Re:

[djh101010]

Your interpretation is flawed. He wrote:

That's going to keep me laughing a long time. ESPECIALLY at the mac zealots out there (those who believe it was the perfectly secure OS,

to which I replied: You know, it's funny. The ONLY people I ever see who say "perfectly secure" or "bulletproof", are people like you.

That's hardly me saying "Nobody ever claims that OS X is bulletproof and perfectly safe.". If you're unable to see the difference, well, maybe someone can explain it to you. My point was, and

Re:

[toddestan]

I've run into a few, usually their "proof" revolves around there being no widespread viruses and malware out in the wild for the Mac like there is for Windows.

Re:

[TheRaven64]

The original iSigh had a physical shutter. When the camera was turned off, the shutter closed. You could look in the end and see that it was impossible to take a picture. I don't understand why something like this wasn't included with the built-in one; a simple slider over the front would have done the trick...

Re:

[Fahrenheit 450]

Well, if you want a number of resellers will physically disable the camera for you. We needed to have that done where I work if we ever wanted to bring them in from the parking lot...
Or you could, you know, stick an index card or a Band-Aid or something over the lens...

Re:

[forkazoo]

Or cleverly disguised attempt to monitor people by the Department of Homeland Security? You be the judge!

I dunno about DHS, but I do know that this report has made me cancel the Christmas orders I had placed for Mac Laptops to give to hot chicks...

And images of

[Timesprout]

A fat sweaty bearded geek sitting in his parents basement scoffing pizza and jolt while on a raid with his guild is a security issue how exactly?

Nonsense

[CmdrGravy]

The internet is full of ladies and they all surf practically naked, I know this because this is what they tell me in chatrooms and other socialising sites.

Re:And images of

[Rakshasa Taisab]

Uhm, the article said Apple, not Windows.

As is well known, we users of MacOSX are all tall with athletic bodies.

Re:And images of

[hab136]

As is well known, we users of MacOSX are all tall with athletic bodies.

Speak for yourself.. I'm a fat sweaty geek sitting in a basement scoffing pizza and Pepsi while on a raid with his guild (WoW for OSX). No beard though, and it's my basement.

Scoffing pizza?

[Doctor Memory]

"Pizza, bah!"

"Your pizza is insignificant compared to the power of the Force!"

"Dude, pizza is, like, so last week, dude..."

ITYM scarfing pizza...

Re:

[TheLink]

scoff is correct.

http://dictionary.reference.com/search?q=scoff

scarf is slang.

Re:

[Doctor Memory]

</whoosh>

Re:

[Conanymous Award]

Thank you, fellow OS X user, for making my day with this comment. Unfortunately, I must sue you for the loss of my MacBook's keyboard due to a sudden, violent outburst of tea you just caused.

Re:

[vjmurphy]

Well, understand that my knowledge of computers has come totally from watching TV and movies: my assumption is that while said fat sweaty bearded geek may look like he's raiding with his guild, it's likely that he's accidentally connected to a Department of Defense computer and is actually sending orders to a highly trained team of Navy Seals working undercover. The good news is that these types of things always seem to end well for all involved, with DKP for all.

Re:

[jimstapleton]

given a recent slashdot article [slashdot.org], I think your comment should be fixed:

A fat sweaty bearded granny sitting in his parents basement scoffing pizza and jolt while on a raid with his guild is a security issue how exactly?

Re:And images of

[un1xl0ser]

Dude, this was on a Mac... no games. duh

Re:And images of

[operagost]

Liar. There's Breakout, Super Breakout, and Photoshop!

Re:

[aristotle-dude]

Actually, Photoshop (for the Mac) is compiled for a PPC processor. On an Intel Mac it runs through Rosetta (the PPC emulator built into OS X). For now, Photoshop users would be better served by keeping their PPC Macs.

The Beta of CS3 was released on Friday as a Universal binary.

Re:

[shrubya]

Dude, except for WoW. that game. duh

Re:

[Clock Nova]

Hey, we got Starcraft just last week. That's pretty fun.

Re:

[djh101010]

Dude, this was on a Mac... no games. duh

Ignorance, or humor? It's so, so hard to tell. And besides, I could always boot the thing into Windows if I wanted. But by all means, don't let actual facts get in the way of your ignorance and/or joke. /me waits for "one button mouse" comment/

Re:

[Burz]

A fat sweaty bearded geek sitting in his parents basement scoffing pizza and jolt while on a raid with his guild...

Hey, some people think Santa is sexy!

Too late, Taco!

[elrous0]

They didn't update QUITE fast enough. I've already seen you in your underwear.

It's not a pretty sight, folks.

-Eric

I guess we won't be.....

[8127972]

..... Able to see cute college co-eds prancing around in their dorms half (of if we're lucky, totally) naked.

Wrong demographic for Mac...

[xxxJonBoyxxx]

Wrong demographic for Mac...if you wanted to see male liberal arts majors with rectangular-lensed glasses watch Futurama reruns on bean-bag chairs I think you'd be happier.

Amusing Anecdote

[99BottlesOfBeerInMyF]

One day I wandered into the closest Apple store and was playing with the latest version of OS X to see if I wanted to upgrade. They all had internet connections and isight cameras and I thought it would be fun to play with them. So I made up a new ichat account and added a few people I knew at the time with a camera on their system to the buddy list to see if they were online. The person available just happened to be a cute college co-ed dating one of my buddies. She's one of those skinny little redheads guys always seem to fall for. Anyway, after I got to try out the video chat feature I took off and thought no more about it.

The next time I talked to her she told me I had brought her a lot of entertainment and some embarrassment. It seems people in the store also wanted to try out the video chat, and since there was an account set up with her on the list, they kept sending her chat requests. This was the entertaining part. The embarrassing part was the first time someone did that, she assumed it was me again, and was not quite fully dressed at the time. She said the guy seemed pretty shocked, but nice enough after she jumped out of the camera's line of sight and pulled on a robe.

Re:

[TheLink]

So she doesn't mind you seeing her "not quite fully dressed"?

Hmmm...

Re:

[99BottlesOfBeerInMyF]

So she doesn't mind you seeing her "not quite fully dressed"?

Not everyone is a prude :) Besides, I'm living with her old roommate, who is cuter yet, which puts me in the "safe" category as far as most women are concerned.

Re:

[Woy]

... Looking back, most industry executives agreed that the singular moment that propelled Apple to its current 97% marketshare was a lone post on what was then just another Internet forum, and not the brain center for the world government it is today: "The post from '99 [99BottlesOfBeerInMyF] really just got things started," says Steve Jobs, "Up until then we were kind of sitting around wondering how to sell all those shiny computers. We knew about girls and cameras, but we didn't think of putting the two t

As Someone Who Doesn't Own A Mac...

[sweatyboatman]

I personally am disappointed. Imagine the YouTube videos that would have been possible with just a month's worth of such video. I mean, yes, 90% of it would be unshowered nerds with bad posture, but that 10% would have been gold!

Darn.

[Grendel Drago]

And Mac users are lithe, sexy art types, too. I know, because the ads tell me so.

Would make for a GREAT security wake-up website

[Jah-Wren Ryel]

There are a few websites out there that will tell you your IP address, browser type, OS type and even guess at your general geographic location based on things your browser tells it. Some of these sites do it to "shock" people into realizing they are NOT anonymous on the net.

What a great enhancement it would be for such websites to display a picture of the user at his computer! "We know you use a Mac, Live in California and Look like THIS!" Just one visit such a site would go a LONG way to instilling a useful level of caution.

Re:

[Peganthyrus]

You can still do this [oreillynet.com].

Re:

[Peganthyrus]

Oops, no, you can't - I just went and plugged in the webcam to check. Seems that any and all QCs that use the 'video input' or 'audio input' are now "unsafe, and cannot be viewed in WebKit", though you only get that warning when linking straight to the .qtz. Well, that's no fun!

You know, people can get audio and video through the Flash player too and nobody's gone hogshit.

Re:

[Firehed]

That freaked me out when it came up in MacHeist. It continues to freak be out because it's not blocked by my freshly installed NoScript extension.

Re:

[Peganthyrus]

Sorry about that. Works fine for me on Safari. I guess Firefox and/or your system doesn't like tiny Quartz compositions.

Re:

[Anthracks]

It froze mine too...on Windows XP. WTF? Why should WinXP care about Quartz? Perhaps I'll have to file a bug.

Re:

[Lars T.]

So it showed you Firefox has a potential security hole allowing code execution instead.

Re:

[99BottlesOfBeerInMyF]

Thanks a lot - that web page completely froze up my Firefox.

It worked fine for me with Firefox 3alpha1, although it displays the end of the tag as text. No crashes though. For an alpha, I'm pretty impressed with the stability and the native spellchecking and cocoa widgets rule. Check it out. (Disclaimer your milage may vary, it is an alpha... don't try typing your thesis in this and complain when it crashes.)

Re:

[Macthorpe]

Did exactly the same with me and Opera. Crashed the browser, restarted and it worked fine.

What an oddity.

Why didn't anybody tell me?

[UnknowingFool]

[Stops dancing wildly in front of computer]
Nobody saw that, right?

Re:

[Lars T.]

[Stops dancing wildly in front of computer]
Nobody saw that, right?

No, but we felt the earth move.

Am I the only one

[LittleBunny]

Am I the only one who wishes that the laptops with the built-in iSight had a way to manually close the shutter, like the standalone iSight? I always keep mine closed when I'm not using it, but the lack of such a shutter on the laptops makes me profoundly uncomfortable at the thought of owning one. Maybe this sort of thing will serve as a wakeup call?

Re:

[Orthodork]

Duct tape will manually close the shutter. And a tinfoil hat will keep those nasty thoughts out of your head a little better.

Re:

[LittleBunny]

I've tried the tinfoil hat, believe me. Multiple layers, even. It seems to have no discernable effects on nasty thoughts. But then, maybe I just haven't given it enough time.

Re:

[OldeTimeGeek]

It works better if you nail it down. Or so I've been told...

Re:

[Sierran]

Heh. You're not the only one. Despite fears of being called a paranoiac, and despite assurances that the 'in use' LED would warn me, I have this nice little stuffed penguin, see...and when I place him atop my iMac, his beak fits just precisely over the camera lens.

Now all those unscrupulous bastards at DHS need to do is realize that my cat is a) home all day and b) bribable with kibbles and I'm *screwed*.

Re:Am I the only one

[geobeck]

...I have this nice little stuffed penguin, see...and when I place him atop my iMac...

So you're using a Linux patch for your Mac vulnerability?

Re:

[soft_guy]

There are inexpensive third party covers for the built-in iSight that stay on real well and don't damage the computer/camera.

Re:

[Thumper_SVX]

And you're going to miss the honking great green "in use" light? If you can't see that while looking at the screen, I'd have your eyes checked. Mine on my Macbook Pro is actually quite distracting when it's on. Yes, I use it for IM occasionally.

Re:

[Thumper_SVX]

Electrically speaking, that's impossible. The way the LED is wired up it isn't software controlled; it's hardware. If there's a current to the camera, there's a current to the LED.

OK... it isn't big, but it IS bright. I mean distractingly so... it just looks big when it's on :)

Nothing to iSight here...

[Rastignac]

...move along. ;)

Why this is interesting

[daveschroeder]

Of course, an application running on your local machine can do anything it wants. So it's not surprising that a malicious Java applet/application could, well, do malicious things.

For those who don't know, a Quartz Composer composition saved as a QuickTime movie can display the iSight image locally. Since QuickTime movies can be embedded in web pages, you can create a movie that displays the *local* iSight image back to the person, locally. Nifty, right?

But is interesting is that via Java hooks in QuickTime for Java, a Java applet could be used in conjunction with this Quartz Composer movie to do anything that a Java applet could instruct QuickTime to do - including take a shot of whatever is being displayed in the QuickTime movie - and then do anything else a Java applet could be designed to do - in this case, potentially send that image somewhere.

So, this could be done on any platform with a camera, since all it is is malware running to perform a specific task.

But what's more interesting is:

- All Mac OS X systems will always have QuickTime, and thus always have the capability to run such a composition
- All Apple laptops have cameras that cannot be easily disabled (of course (unless the LED is burnt out) due to the way the iSight is set up electrically, the green light will always be on when in use)

The ubiquitousness of iSight camera is what makes this little trick interesting. It also raises issues such as: why didn't Apple offer an option to delete the camera (especially for government/military customers, as other vendors, like Palm, do), and why didn't Apple offer a mechanical shutter for the iSight on all models?

In any case, it's fixed with Security Update 2006-008, but a legitimate Java application, i.e., one you trust, could still do just that. Which stands to reason, of course, since code running on your machine - even if instantiated by a web page - can really do anything that you have permission to do, including delete files. That's the nature of applications.

One other note: you can indeed disable the iSight by (re)moving: /System/Library/Extensions/Apple_iSight.kext /System/Library/QuickTime/QuickTimeUSBVDCDigitizer .component

In sum, the reason why this is interesting is because of the ubiquitousness of the Apple iSight on Apple laptops and the fact that it's ready for use. But, someone still has to visit a malicious site and run a malicious Java applet - user interaction: the hallmark of Mac OS X vulnerabilities!

Re:

[galego]

- All Apple laptops have cameras that cannot be easily disabled (of course (unless the LED is burnt out) due to the way the iSight is set up electrically, the green light will always be on when in use)

What .. just like those that save a piece of the packaging to act as a buffer between the keyboard and screen on their laptops... save a piece of tape [duct|electrical|masking] to patch that [security] hole.

:p

Re:Why this is interesting

[daveschroeder]

I should also note that, for government/military customers, Apple does have a contractor that can physically disconnect the iSight and internal microphone as part of the procurement process, and meets GSA schedules and requirements for "no-camera" or "no-microphone" environments; additionally, infrared, Bluetooth, and AirPort can also be disabled. This does not void any waranties. That contractor is:

Holmans [holmans.com]
6201 N. Jefferson Ave
Albuquerque, NM 887109
Tony Greiner
505 343 3529
tgreiner@holmans.com

GSA schedule GS-35F-0341N
DOE authorized (LLNL and LANL)
DOE "L" clearance personnel

For individual customers, any Apple Authorized Service Provider [apple.com] can disconnect any or all of the above components, and are happy to accommodate such requests. Such requests also do not void warranties.

Again, these components can all be disabled by software means in managed environments where physical disconnection/removal of the device(s) is not a requirement.

I should note that this trick could technically be done any any platform with a camera: run malicious software designed to send imagery from an attached camera somewhere. But in the case of Mac OS X on Apple hardware, it becomes interesting because Apple has already done all the work to drive the camera and display within QuickTime (via Quartz Composer, the integrated camera and drivers, and so on), and then QuickTime for Java can be used via a malicious Java application or applet (which still has to be run, of course) to send images remotely. After Security Update 2006-008, a Java applet (unless it is a signed applet that is specifically allowed by the user) can no longer make such such calls to QuickTime for Java.

Re:Why this is interesting

[daveschroeder]

It's a good thing that this was never in the wild (insert someone ominously saying "THAT WE KNOW OF..." here) and is now fixed, then, isn't it?

And actually, this has nothing to do with "integrating all (?) its OS components with the web browser". It has to do with QuickTime movies being able to be embedded in a web page, which is perfectly appropriate, and another supported feature of QuickTime, namely QuickTime for Java, being able to take instructions from a Java applet, like it was designed to do. None of these things are "bugs", but the confluence of them in this circumstance allows a malicious applet to take imagery from the camera via a Quartz Composer composition. This has ZERO to do with "integrating OS components" into the browser. This is all done via QuickTime and QuickTime for Java, which can be accessed via the browser. Oversight? Yes. Now fixed? Yes.

As for how long you think a malicious ad doing *anything* on a major network would survive, let's just say "not long". By that logic, you could make the same claim about things that install malware via browser vulnerabilities on any platform: "But what if you got this on a popular site?!?" Yeah, what if?

Re:

[IamTheRealMike]

As for how long you think a malicious ad doing *anything* on a major network would survive, let's just say "not long".

It doesn't have to be long, that's the trick. This isn't a theoretical problem, it has actually happened multiple times with previous browser based exploits. One ad-based attack is estimated to have zombied over a million machines in the span of hours it was live for. This makes sense - ad networks serve millions of impressions per hour, and it can easily take several hours for them to r

Keep their little heads in the sand.

[delire]

Got to love the idea of using an OS whose scope of security vulnerability need to be 'leaked' to be known.

Fsck that..

Re:

[delire]

Yes I realise I just had an RTFA parse error..

No security hole -- RTFrigginA

[Deep Fried Geekboy]

If Cmdr Taco had actually read the friggin' MacSlash article he links to, and scrolled down to the comments, he'd see that the 'exploit' is not fixed by this patch and what's more, doesn't send info to the server. Fer feck's sake.

Re:

[annodomini]

And if you had read the Security Advisory [apple.com], you would have seen that the problem they were fixing was about data being sent to the server and was fixed. They did not remove quartz composer functionality from Quicktime movies, so the movies you can download that show you to yourself, possibly with some effects added, still work (and are still a little creepy), but they only display the picture locally. What they did was remove the functionality from unsigned Java applets to embed such movies, because those ap

Re:No security hole -- RTFrigginA

[99BottlesOfBeerInMyF]

What they did was remove the functionality from unsigned Java applets to embed such movies, because those applets could take the image produced by Quicktime and send it back to the server, which was a real problem.

Yeah, too bad Sun announced yesterday [sun.com] a flaw in all their runtime environments that allows untrusted applets to access data from trusted applets. I don't think Apple has squashed that one, so there is still some potential for mischief.

Re:

[shawnce]

What you say is true for some definition of "java runtime environment".

In general however Apple attempts to use as much of Sun's implementation as possible so very often issues in Sun's JVM can be present in Apple's.

just like flash?

[zen611]

Doesn't flash do this already? As a "feature"?

Yeah, just like that, except:

[mbessey]

The "feature" of sending video to random strangers on the Internet is disabled by default for Flash, and was enabled by default for QuickTime/Java beore this patch was issued.

Sun

[BenjyD]

I guess this kind of thing is why Sun put a mechanical lens cover on their webcams.

Shameful this hasn't shown up yet.

[0100010001010011]

In Soviet Russia, websites look at you!

Closes iSight (security hole)

[ezzewezza]

Just makes me think:

It is pitch black. You are likely to be eaten by a grue.

/View mode

[dpbsmith]

Back in the late 1980s and early 1990s, Compuserve's "CB simulator," Delphi, and other services provided text-based multiway services of the kind now known as "chat."

It was fairly common for someone to make a joking about how they were or were not dressed. A common reply was for someone else to type something like /view mode on

and tell the group that he or she could now verify whether or not first speaker had been telling the truth. Occasionally the first speaker would be naive and gullible enough to believe it.

Little did I know that /view mode would actually be implemented within my lifetime.

Sounds like an old SunOS issue

[Stonent1]

Some versions of SunOS had /dev/audio set with permissions that anyone could access it. So someone would just have to telnet into the computer with a non-root account and dd if=/dev/audio of=/export/home/joeschmoe/capture and get a dump of anything being said in that room.

Give me a break

[CODiNE]

So all the high rated posts I see talk about how terrible Apple's security was, 1984 comes true, blah blah blah.

Did any of you bother to try out the exploit? I just did... know what it does? It turns on that bright green LED right next to the camera, the one that tells you when it's on. It's pretty bright and when it turns on all of the sudden, you NOTICE. It then proceeded to crash my browser. Well it may be possible that Apple carefully designed their hardware in such a way that the LED is software controlled and the camera is capable of invisibly monitoring people, there is no evidence to back those claims.

True with proprietary software one just never knows for sure, but honestly let's see someone figure out how to take a picture or make a movie without the light coming on, THEN we can start calling Apple Big Brother. Honestly if that were possible then I'd dump this laptop in a heartbeat since it would require purposely designing it with that in mind.

Re:Give me a break

[99BottlesOfBeerInMyF]

So all the high rated posts I see talk about how terrible Apple's security was, 1984 comes true, blah blah blah.

I don't see that as the character of the highly rated posts here.

Well it may be possible that Apple carefully designed their hardware in such a way that the LED is software controlled and the camera is capable of invisibly monitoring people, there is no evidence to back those claims.

I strongly suspect that the LED is hardwired to the camera. That would be easy to do and makes sense from a design perspective. I'd be happier, however, if Apple provided some confirmation of this, rather than leaving us all to hope that is the case.

... but honestly let's see someone figure out how to take a picture or make a movie without the light coming on, THEN we can start calling Apple Big Brother.

I think that would make them lousy designers, not big brother, unless there is also evidence that they are doing something with that anti-feature. I'm not happy, however, about assuming all is well unless it can be proved otherwise. I like openness in this regard rather than relying upon obscurity.

Honestly if that were possible then I'd dump this laptop in a heartbeat since it would require purposely designing it with that in mind.

That's not necessarily so. It could be they bought an off the shelf component without an indicator and wanted to tie its operation to the LED, but the interface was such that you couldn't just string it inline with the power without detrimental affects. So they put them both in and tied them in firmware or software and are hoping no one will figure out that it can be bypassed. That would explain their silence on the topic, although it could just be that no one who knows has realized people want to know or have doubts. I rarely use the iSight on my laptop and I did not pay for it anyway. If I feel it is a threat a small square of metal and some electrical tape will take care of it.

iSight - Unavailable at Apple Store Online

[Bones3D_mac]

If you check out the iSight section [apple.com] of Apple's online store, the iSight itself is nowhere to be found. I noticed this a few days ago, thinking it may just indicate an update was coming at the next MacWorld event a couple weeks from now. However, I'm starting to think this issue may well be a factor toward its seemingly sudden disappearance from Apple's website.

Re:

[99BottlesOfBeerInMyF]

However, I'm starting to think this issue may well be a factor toward its seemingly sudden disappearance from Apple's website.

I doubt it. I suspect that they are waiting to release a new version. They pulled it from their european stores a while ago when the new import rules went into place and have not yet started selling a compliant redesign. Since they are now built-in on all laptops and imacs, there is less demand for these and it probably just is not a priority. They could even just add them as a bu

Fundamental design problem

[MobyDisk]

People who think Apple is safe by design need to take a hard look at this vulnerability.

Description: Java applets may use QuickTime for Java to obtain the images...

This is just like the classic Microsoft/ActiveX type of problems. They exposed a control to web pages then realized, after the fact, that the control could do things they didn't intend. It's just like how MS Office was exposed via VBScript/JScript. And just like how Firefox exposed XUL commands. So now Apple exposed native controls via Java.

Apple's solution is the same as Microsoft's. Only "signed" applets can access this control now. The fundamental problem though, is that unsigned applets shouldn't be able to access anything outside of the standard Java classes. They need to stop making blacklists and whitelists of what controls are safe, and instead, make it so that no controls are safe.

Re:

[cnettel]

Reservation: I didn't read TFA, I've no idea about CVE numbers, but the CVE number for this issue was first listed as "reserved" over a month ago [mitre.org]. Not two months after it was found, but still six weeks or so.

Re:

[petard]

Apple reserves blocks of CVE numbers in advance, without necessarily having a problem report that matches up. They were told about this on 01 December.

Re:

[Valthan]

Wasn't the hole found about a year ago now?

Re:

[Yvan256]

Aren't the iSight and microphone supposed to be electronically wired to the LED? I.E. if the iSight and/or microphone are being accessed, the LED lights up?

Re:

[Yvan256]

I would try it, but there's no LED on my PowerBook and no iSight nor microphone on my Mac mini.