Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses Apple

Apple Responds to MOAB 126

frdmfghtr writes "Apple has released what appears to be the first security update as a result of the "Month of Apple Bugs." While the Apple site doesn't explicitly say that the fix was a result of the MOAB, it does point to a sample Quicktime file that triggers the overflow flaw (well, sort of...it says the file is there but doesn't provide any links)."
This discussion has been archived. No new comments can be posted.

Apple Responds to MOAB

Comments Filter:
  • MOAB? (Score:5, Funny)

    by Southpaw018 ( 793465 ) * on Wednesday January 24, 2007 @09:44AM (#17737378) Journal
    First thing I thought of was this [youtube.com].
    • As did I. I think a "Massive Ordinance Air Blast" is a lot more interesting than an Apple bug fix too :)
    • Re:MOAB? (Score:5, Funny)

      by Penguinisto ( 415985 ) on Wednesday January 24, 2007 @10:26AM (#17737846) Journal
      Could be worse... all this time I kept thinking that Apple somehow added Detroit Lockers and a new set of leaf springs to its Macs in response to Moab [moab-utah.com]...

      (Guess that's what I get for living in Utah and owning a Jeep...)

      /P

    • by vbjay ( 1006505 )
      What chance does a little apple have against a MOAB?
    • Re: (Score:3, Insightful)

      by Agram ( 721220 )
      Well for all intents and purposes the Month of Apple Bugs was to Apple security claim pretty much what your MOAB is to those poor trees. Hate to break it to you ladies and gentlemen, but there is no such thing as bug-free/secure OS. Not Linux, not OS X, and definitely not Windows. The bottom line is that the system is only as secure as its user makes it. What in this case made Month of Apple Bugs so disrupting was not that Apple's OS is insecure (at least not any more than any other OS), but rather the fact
  • Doom B (Score:2, Funny)

    by bryan1945 ( 301828 )
    Day of obvious Microsoft Bugs?

    Sorry, couldn't resist.
  • I haven't heard much coverage on the MOAB since the QuickTime revelation -- haven't they dug up any further baloney in the OS or its core of Jobsian iApps?

    If the highlight of the month is the damn QuickTime thing, this has worked out to be a fairly dull bug hunt. The submitter should've at least linked up the MOAB reference with some supporting fun.

    Also: is Steve Jobs technically a bug or a feature?

    • by qwertphobia ( 825473 ) on Wednesday January 24, 2007 @09:54AM (#17737486)
      No, it's still going strong.
      http://projects.info-pull.com/moab/ [info-pull.com]
      One could argue the significance of each bug, but I would say the quantity is not lacking. I was sure I would see a few days or a week, but it looks like there has been a total of 23 when I visited the site.

      I'd have to say Steve Jobs is a core daemon :-)
    • by solevita ( 967690 ) on Wednesday January 24, 2007 @10:23AM (#17737788)
      Also: is Steve Jobs technically a bug or a feature?

      I'm told he's the irreplaceable core of Apple inc, so I guess he's neither a bug nor a feature; he's Apple's Internet Explorer.
      • Re: (Score:3, Funny)

        by powerlord ( 28156 )
        I'm told he's the irreplaceable core of Apple inc, so I guess he's neither a bug nor a feature; he's Apple's Internet Explorer.
        So what you're saying is, you don't want to use him all the time, otherwise you'll end up in a world of hurt, but every now and then there is a site you just have to trot him out for?

        Oh ... like ... say the MacWorld Keynote? :)
    • Re: (Score:3, Informative)

      by sokoban ( 142301 )
      No, this isn't the only bug, nor is it the most serious.

      There are remote code execution and escalation of privileges bugs that are still yet to be fixed, but at least it appears that these bugs are being taken seriously and will hopefully be fixed.

      There are all sorts of people trying to find bugs in Linux and Windows, but not nearly as many people are doing so for OS X. As a Mac user, I am glad someone is doing this now and finding these bugs and exposing them to the public and to Apple before there are ex
      • There are all sorts of people trying to find bugs in Linux and Windows, but not nearly as many people are doing so for OS X.

        I'm not sure how true this is. Apple is doing audits for security internally, and a lot of security researchers have informally looked into OS X bugs with security implications as well. There are a lot of security people using OS X laptops these days (judging by their omnipresence at conventions the last few years), and they notice things and are interested and motivated.

        As a Mac

    • by 99BottlesOfBeerInMyF ( 813746 ) on Wednesday January 24, 2007 @10:32AM (#17737946)

      I haven't heard much coverage on the MOAB since the QuickTime revelation -- haven't they dug up any further baloney in the OS or its core of Jobsian iApps?

      They've revealed a number of potentially exploitable bugs, although nothing to really worry about right away, and a number more third party bugs that have little or nothing to do with Apple.

      If the highlight of the month is the damn QuickTime thing, this has worked out to be a fairly dull bug hunt.

      The most interesting thing to come out of this so far is actually a third party bug in Colloquy, a popular IRC client. The bug itself is not all that novel, but the explanation of the bug that the MOAB team allegedly, originally posted showed them using the vulnerability to hack users on the popular #macdev on Freenode IRC. Basically, many people are claiming they posted a log of them not only behaving unethically, but illegally before even announcing the vunlerability. The explanation of the bug they now post no longer contains that log. For more information check out the article [arstechnica.com] and the accompanying forums.

    • Re: (Score:3, Insightful)

      by jagilbertvt ( 447707 )
      Of course they didn't release an update for the Windows version of QT.
      • Of course they didn't release an update for the Windows version of QT.

        They say the update is through Apple Software Update, and to reinstall QT if you didn't put it on originally.

        Funny, when I do ask it to update, I get an offer for iTunes 7.0.2. No patch.
  • ummm (Score:5, Informative)

    by Kyro ( 302315 ) on Wednesday January 24, 2007 @09:51AM (#17737454)
    from the linked apple release: " A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007). This update addresses the issue by performing additional validation of RTSP URLs."

    is that not explicit enough??
    • Re:ummm (Score:5, Insightful)

      by DLG ( 14172 ) on Wednesday January 24, 2007 @10:33AM (#17737972)
      Yeah, it is hard to accuse Apple of dodging the project by explicitly highlighting their 'contribution'. I wonder what the author wanted to see.

      "Oh Noez, W3 WUZ PWNED by the MO@B Kr3w!!!!"

      Really pretty respectful to simply describe the bug, and describe the exploit that is specifically focussed on that bug, pointing the the source of it.

      I think that MOAB did focus attention on some real issues although they had to stretch out some issues to multiple days (several DMG file structure errors which essentially were DOS at worst (a corrupt file shouldn't cause crashes it is true, but that can be one day worth of bugs since the fix is essentially 'validate file more effectively before loading it')

      As far as the questions about things like diskutil restoring permissions on files that have lost their SUID bits due to being modified, thats a solid issue, although diskutil is run by administrative account from what I recall, and really points back to the question of how do you avoid having someone with an account on a machine they have in their home or office from getting root access, and then not doing stupid things to their machine. Basicly the same can be said about any system that allows someone root access. There is no OS that can stop SU from fraking things up as far as I know.

      Anyway, I think the real truth is that there are no great showstoppers. Omniweb closed their security flaw the day it was released (and wondered why they couldn't have been contacted prior to the publicity. Any argument that 'Apple ignores bug reports' sort of goes to hell when talking about third party software issued). Even worse was day two's focus on VLC a project that has less relevance on Apple's OS than it does in the Linux world. I think they should have focused on things Apple needed to fix, rather than things that break on Apples, just like they break everywhere, without Apple having much to do with it at all, nor any real influence on the developers. I mean technically you could put any Window security issue into the Apple MOAB since Windows apps run on Macs these days. Is that helpful? Not really.

      So I would say that Apple has shown a willingness to respond to a bug report, I have not really seen them creating negative press against the MOAB folks, and there hasn't really been a showstopper that was strong enough to get mainstream press.

      • Yeah, it is hard to accuse Apple of dodging the project by explicitly highlighting their 'contribution'. I wonder what the author wanted to see.


        I expected to see an acknowledgment along the lines of "Thanks to the MOAB team for alerting Apple of this flaw in Quicktime." For all we know, Apple already knew about it and fixed it without any help from the MOAB effort. Even Microsoft acknowledges outside efforts that uncover flaws in Microsoft products.
        • Re:ummm (Score:5, Informative)

          by 99BottlesOfBeerInMyF ( 813746 ) on Wednesday January 24, 2007 @12:34PM (#17739842)

          I expected to see an acknowledgment along the lines of "Thanks to the MOAB team for alerting Apple of this flaw in Quicktime." For all we know, Apple already knew about it and fixed it without any help from the MOAB effort. Even Microsoft acknowledges outside efforts that uncover flaws in Microsoft products.

          Apple acknowledges contributions from users who report bugs to them. Just read any of their security patches and about half the items are attributed to a bug reporter outside the company. The question is, did the MOAB really report this bug to Apple as they strongly implied? We know they did not report the bug to the OmniGroup team, since their CEO went on record saying they found out about it from someone who say the MOAB site.

          If I were Apple I wouldn't give these guys credit at all, seeing as they are behaving unethically and irresponsibly. Giving them press just encourages others to behave like this.

        • Re: (Score:3, Interesting)

          by DLG ( 14172 )
          I don't know that people posting exploits on a public site, and making press releases about it is the same as reporting bugs to a developer. I mean I am sure there are many people who have posted messages about exploiting bugs in some way in many forums, but mostly they aren't technically reporting those bugs to the developer. In the case of MOAB they explicitly have stated they were NOT reporting the bugs to the Apple, but were doing it a different way to force Apple to respond differently than their norma
    • Re: (Score:1, Troll)

      by RAMMS+EIN ( 578166 )
      Well, on the web we have this thing called hyperlinks. The great thing about hyperlinks is that the allow you to quickly go to the place they point to, rather than having to look through a pile of sites to find the one that matches the one referred to in the text you were reading.

      Of course, that all falls on the floor if you don't actually _use_ hyperlinks. So no, just mentioning the source in plain text is not enough.
  • by bmajik ( 96670 ) <matt@mattevans.org> on Wednesday January 24, 2007 @09:59AM (#17737550) Homepage Journal
    I speak the truth! There are No Bugs In The Macintosh! Those whom you have heard saying there are bugs? Where are they now? They are not in the Macintosh. They are roasting in the stomach of the Jobs.

    Even if there were Bugs in the Mac OS, the infidels would not find them. We would know about them first and Fix them forthwright. They will never defeat us for 1000 generations.

    We welcome the discovery of bugs in the Macintosh! We have set a trap for them and when they fall into it, we will be victorious, Jobs willing! We will ensnare them with the traps we have set and will cast them out of the kernel and back to where they came from!

  • by Anonymous Coward on Wednesday January 24, 2007 @10:03AM (#17737590)
    They've succeeded in furthering the silly notion that OSX is more secure. :( Here we have 20 some odd bugs and not a SINGLE disastrous outbreak among OSX computers. Will someone please find the ball and GET ON IT?!? Maybe they'll have some amazingly earth shattering ones towards the end of the month.

    If this little act of theirs doesn't result in a major worm/virus outbreak, then that means that even if you SHOW people how to break the system they still can't, again furthering the notion that OSX is somehow more secure than Windows!!
    • They said one of the exploits was reported to them as a Zero-Day which is in fact being exploited by a malicious self-encrypting program (if you can call xord strings self-encrypting). So it seems there has indeed been an "outbreak".
  • What is it with the human race and creating an acronym for every damn thing?
    • Re: (Score:3, Interesting)

      (Offtopic, but who (besides some disgruntled mod) cares...)

      Acronyms and product names like XY6342w are not a 'human' thing. It's an engineer/geek thing. In fact I was thinking about this today: part of the success of the iPod, for example, could be thanks to its simple, memorable name. It really stands out in the myriad of alphabetic-numerically named 'generic' MP3 players. I'm sure the iPod would still be quite succesful if it was called Apple MP3Player E3807-92i, but that kind of names just aren't nice
  • Response (Score:5, Insightful)

    by 99BottlesOfBeerInMyF ( 813746 ) on Wednesday January 24, 2007 @10:20AM (#17737748)

    So what is the proper response to the MOAB people? They are revealing real bugs, some of which could be exploitable. Ignoring them leads to decreased security. At the same time they have behaved very irresponsibly with regard to those bugs they have found, not notifying the vendor and providing time to fix before publication, nor following the route of immediate disclosure, the MOAB people seem to think it is all right to sit on bugs they find until the most convenient time for them to gain publicity. Worse, they intentionally space out the publication of the bugs, making a Dev/QA cycle to fix them have to wait till the end or commit to missing some. As such they have maximized the time of exposure for these bugs which encourages worms by giving malware authors as much time as possible.

    Obviously increasing the security of end users is not the top priority. Accurately informing the public does not also seem to be their top concern since they named their project "Month of Apple Bugs" while many of the bugs they've announced are in third-part code (some of it cross-platform) that has nothing to do with Apple. It seems to me all they care about is publicity and sensationalizing themselves in the hope that they can capitalize upon it. Looking at them in that light, it makes sense to spread out the announcement of these bugs and not inform vendors beforehand because it increases the likelihood that people will be compromised, giving them the opportunity to go to news outlets ands say, "see we told you this might happen."

    Given all of the above, what can be done? I'd certainly never want to work with people who eschew responsible disclosure and are interested only in themselves, nor would I trust them. But any press is good press, and most people are not security people and won't even understand what it is these people are doing, they'll just know they got press for security research. Is there any way the security or computing community can discourage this crap in the future and make it clear that irresponsible behavior like this is unacceptable?

    • Not to let Apple off the hook, but it seems to me this could be handled better.
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      LOL.

      You make it sound like this is the first time anyone has ever done anything like this. Since the conception of BOF and FS bugs this type of disclosure has occured. And I think you are way off here saying they are only looking out for themselves. Have you every attempted to do a disclosure with Apple? It's nearly impossible. These 30 odd bugs they are going to release would take apple YEARS to fix if this disclosure method was not taken.

      I'm sure both of these researchers are Apple users or such a project
      • Re:Response (Score:5, Insightful)

        by 99BottlesOfBeerInMyF ( 813746 ) on Wednesday January 24, 2007 @10:49AM (#17738190)

        And I think you are way off here saying they are only looking out for themselves.

        It is the only reason for this method of disclosure I can think of.

        Have you every attempted to do a disclosure with Apple? It's nearly impossible.

        What? They have a bug reporting form on their Website. You don't even have to give them any info on who you are. I've submitted bugs that were fixed in short order, although none were security issues. My coworker a few offices down submitted a local escalation security bug though and it was fixed a few weeks later and he was given credit in the the security update. How is that "nearly impossible?"

        These 30 odd bugs they are going to release would take apple YEARS to fix if this disclosure method was not taken.

        That's just bullshit. If they found the bugs this month and handed them all to the respective vendors then announced the results at the end of next month all the vendors would fix them before the announcement.

        I'm sure both of these researchers are Apple users or such a project wouldn't have taken place.

        At least one of these "researchers" has performed the month of bugs thing on other vendors, one of which was cancelled when he was paid off, as I understand it.

        It's my belief that they are sick of Apple's antics and simply want results.

        If they followed the schedule I listed above, and Apple did not fix them within that one month dev/QA time these guys could scream bloody murder and I'd be right behind them. They'd be following responsible industry practices and Apple would be in the wrong. I'm firmly convinced they did not do this because they were pretty sure Apple would fix the bugs and they would get only minor press once, instead of ongoing sensationalist press.

        Also, before you go to far in defending these guys, you do know they are now accused of illegally exploiting one of their bugs against users before announcing it, right?

        • It's not impossible to report a security bug to apple and get a response.

          Though a misunderstanding of UNIX permissions, I reported what I thought was a security problem to apple. Apple responded, followed up with me, by then I'd figured out that I was a moron, and what I could do to make what I want happen.

          The main point was that Apple was quick to respond (hours). I can't imagine that they'd be any less responsive for a REAL security problem, that the reporter could demonstrate.

          If you're curious on what
      • by Goaway ( 82658 )
        And I think you are way off here saying they are only looking out for themselves.

        Have you tried actually reading their blog [blogspot.com]? With all the self-promotion, personal attacks and vitriol, it's glaringly obvious they are doing this first and foremost for drawing attention to themselves.
      • Re: (Score:3, Informative)

        by shawnce ( 146129 )

        Have you every attempted to do a disclosure with Apple? It's nearly impossible.

        Yeah we have. It is actually rather easy to do. Personally I would file a defect with Apples bug-reporter system and then send an email into the product-security email address with a reference to the bug number.

        http://www.apple.com/support/security/ [apple.com]
        http://developer.apple.com/bugreporter/ [apple.com]

    • Re: (Score:1, Insightful)

      by bbernard ( 930130 )
      "At the same time they have behaved very irresponsibly with regard to those bugs they have found, not notifying the vendor and providing time to fix before publication, nor following the route of immediate disclosure, the MOAB people seem to think it is all right to sit on bugs they find until the most convenient time for them to gain publicity."

      Spoken like a true Mac apologist. How dare anybody manipulate any information, timing, or accuracy to make my computer company look bad! Welcome to the world that
      • Re:Response (Score:5, Insightful)

        by 99BottlesOfBeerInMyF ( 813746 ) on Wednesday January 24, 2007 @11:06AM (#17738430)

        Spoken like a true Mac apologist. How dare anybody manipulate any information, timing, or accuracy to make my computer company look bad! Welcome to the world that Microsoft lives in, here's your initiation T-shirt.

        Who cares about making Apple look bad. I'm concerned about the very real security implications of these actions. They're putting people at risk in order to get press and ignoring the established practices of the industry. You can argue for delayed disclosure based upon vendor response. You can argue for immediate disclosure. Now do tell me the argument for not informing the vendor and not informing the public until a specific day. It doesn't matter what vendor they are doing this to, it is still unethical.

        Where is this outrage when an unpatched Windows bug is announced?

        There are valid reasons for announcing an unpatched bug in some situation and I fully support that. In some cases there are even valid reasons for announcing a bug to the public immediately without disclosing it to the vendor first. That said, this is neither of those cases. There is no security justification for immediate disclosure in this case. And, they aren't disclosing immediately, but are delaying disclosure.

        Admittedly, flaws in 3rd party software don't really seem to have any business in the MOAB list, but of the 23 issues they've reported so far I believe only 3 have been for 3rd party apps.

        That would be 6, not 3... or approaching 1/3 of them.

        The fact is that yes, there is a "more responsible" way that vulnerabilities should be handled by the MOAB team. However, Apple could do a better job as well.

        I think that is understating the case. They're accused of actually using the bugs to exploit users before announcing the bugs. That goes way beyond "less responsible" and enters the realm of "probably criminal." As for disclosure times, When you're dealing with a vendor that provides no feedback and has a history of slow bug fixes and you think the vulnerability might be being exploited in the wild and there is a work around, immediate public disclosure makes sense and increases overall security. When you're dealing with a bug in OmniWeb that is almost certainly not being exploited, it makes no sense. These guys provide immediate feedback and turn around security related bugs in hours. Yet the MOAB project not only did not give them hours, they never bothered to inform them of the bug at all and they had to learn of it from someone who read the MOAB and reported it to them from there. That is indefensible.

        The whitewashing job Apple has done demanded (to some people) a highly publicized "retaliation" to prove that, indeed, Apple's feces doesn't smell like roses after all.

        Whitewashing job? Do elaborate. How is Apple covering up security problems or misinforming people?

        This is the message that just doesn't seem to get across to Macintosh users, and until they not only get the idea that their OS isn't 100% secure, and that they need to take precautions just like Windows (and Linux) users then people like this MOAB team will continue seeking publicity more than seeking to "responsibly" get vulnerabilities reported and resolved.

        Umm, but Mac users to date haven't had to take any security measures to have a negligible possibility of malware infection. That could change in future and Apple should be proactive about keeping it that way, but you can always spend more effort on security. I'd like Apple to do more, but so far they have been "good enough" and I haven't seen them misinforming anyone. Some of their Ads may oversimplify, but that is a good thing since most people don't want complex messages about computers security. "Get a mac and you're safer than if you have Windows" is about as complex as the average consumer can handle and remember.

        • "That would be 6, not 3... or approaching 1/3 of them."

          My apologies. I went back and identified 3 more that were, indeed, not Apple software.

          "They're accused of actually using the bugs to exploit users before announcing the bugs. That goes way beyond "less responsible" and enters the realm of 'probably criminal...' Umm, but Mac users to date haven't had to take any security measures to have a negligible possibility of malware infection."

          Haven't you just argued both sides of the same point? There's nothing
          • Re:Response (Score:5, Insightful)

            by 99BottlesOfBeerInMyF ( 813746 ) on Wednesday January 24, 2007 @12:18PM (#17739548)

            Haven't you just argued both sides of the same point? There's nothing Mac users need to do to protect their machines, yet the MOAB people are accused of exploiting these bugs in the wild? Either one or the other of these statements is, therefore, incorrect.

            No, that is not the case. Apple has an install base of millions. Colloquy users, on OS X, using that software actively on a channel where it is being exploit, in that one week window between the discover/alleged use and fix make up a negligible part of those millions. Adding together all the exploits used in the wild, including trojans, still accounts for a negligible part. I'm more likely to lose data because I got in a car crash which destroyed my laptop than I am to be remotely exploited.

            But that does not mean that the platform is safe.

            This statement is meaningless. Nothing is ever "safe." Even if you have a mythical, perfect computer security system there is the possibility that Illuminati agents will kidnap you, use drug and hypnotherapy, and make you copy all you data onto disc and give them a copy then forget about it. Security is relative. OS X is much better than Windows, but much less secure than OpenBSD. The point is to keep your customers happy by providing most of the with security that is appropriate. Given the lack of widespread exploitation on OS X, they are succeeding thus far.

            "Black Hats" aren't hacking as much anymore just for kicks

            There are lots of reasons OS X is less likely to be exploited, including market share, default settings, and the skill set of most malware authors. New worms already attack multiple Windows vulnerabilities to increase their chances of spreading. There have been cross-platform worms. There are worms that mine data, like online account info and CC#'s The motivation for adding an OS X exploit is there, if it is easy enough. There are a number of worms written for purposes like prestige, attention, and profit that would be more effective if they targeted the Mac. To date, it has not been easy enough.

            Where is the money in hacking a Mac? How many financial institutions rely on Macintoshes for storing sensitive data?

            If you're being directly attacked by a skilled researcher, the Mac is not the best platform. Use a locked down SELinux setup. That does not apply to most people, however. For the data on average laptops that widespread malware is targeting, macs have plenty of it. Half of the Windows machines you hit are going to have nothing of worth because they are owned by people in relatively poor areas, many pirating Windows. Mac users are relatively affluent by comparison.

            How many Macs does the DoD use?

            This is not really relevant do to the same reasons as above, but it is an interesting question. How many do they use? What naval intelligence? What about the CIA. I know some CIA operatives had powerbooks because they handled large satellite photographs and maps better. As for other uses, I don't know. Do you?

            The absence of evidence of active hacking against the Mac platform is not proof that it is secure.

            The relative lack of hacking against the Mac platform is one reason why it is more secure than Windows. Nothing is ever, "secure."

            That's the logical fallacy that Apple is happy to perpetuate, and that the "Mac Nation" will happily swallow. That's the Kool-Ade that I'd like to see fewer people drink.

            99% of people don't know what an "OS" is. If you tell them that Macs are not "secure" and neither is Windows and they need to take a course in computer security to learn safe practices, they'll ignore you as another techno-babbling geek. You might convince them to stay with Windows instead of switching to a Mac because both are insecure, right? Practically speaking the message, "get a mac and you're less likely to have security problems" is more likely to increase the overall security in our current environment than anything else. It gets people to switch to a company that needs to keep customers happy or it loses money and it gives MS incentive to make their machines more secure. Attempts to confuse this message or make it more complex are likely to result in net decreased security.

    • Re: (Score:3, Insightful)

      by DLG ( 14172 )
      I was more troubled by the way they treated Omniweb, a small software company that has a good reputation for being responsive to users and released an update to the bug almost immediately. The workaround is to use Firefox (which has its own bugs) or wait for Omniweb to release a fix. They didn't bother to update their bug report to point to the fix.

      I think in general they haven't got much press. People who argue that Apple's are no more secure than other OS's will continue to miss the point, which is that M
      • Re:Response (Score:5, Informative)

        by 99BottlesOfBeerInMyF ( 813746 ) on Wednesday January 24, 2007 @11:35AM (#17738840)

        I was more troubled by the way they treated Omniweb...

        Even more troubling is the hubbub surrounding their Colloquy vulnerability, mentioned in this article [arstechnica.com]. They are accused of actually using the exploit on a public IRC channel before releasing the vulnerability and publishing a log of that hack in the announcement. I don't know if it is true, but given their behavior with the rest of this project they're slipping more and more towards the blackhat end of the spectrum.

        • How is it "flamebait" to link to an article about the MOAB people being accused of criminal activities related to their project?

        • Re:Response (Score:5, Interesting)

          by DLG ( 14172 ) on Wednesday January 24, 2007 @01:20PM (#17740576)
          I just searched around on this, and was also disturbed by what I see which can be summed up by 'they tested it live, the developers fixed the bug based on the attack, the MOAB team posted a release with evidence of the attack, then removed it, then denied it happened, and denounced all potential proof as unreliable'

          The parent shouldn't be modded flamebait, but thats not really important. Even the fact that they used it live was relatively minor (it wasn't infecting peoples computers as far as I could tell). What bothers me is that the lack of transparency they accuse Apple or other developers of, hardly seems valid in light of their own lack of honesty. This has been questioned before, and if they hadn't already made themselves look a bit foolish by targetting open source multiplatform tools, they certainly would have lost credibility based on this stunt.

    • Apple may be better, but I've heard stories on this very forum, where several people complaining that Apple took many months to fix problems. I have not seen any fix to the Quicktime HREF vulnerability that caused virus trouble at MySpace, and I'm pretty sure Apple's known about that for several more weeks than this.
    • by nathanh ( 1214 )

      So what is the proper response to the MOAB people? They are revealing real bugs, some of which could be exploitable. Ignoring them leads to decreased security. At the same time they have behaved very irresponsibly with regard to those bugs they have found, not notifying the vendor and providing time to fix before publication, nor following the route of immediate disclosure, the MOAB people seem to think it is all right to sit on bugs they find until the most convenient time for them to gain publicity.

      • Re: (Score:3, Insightful)

        Two of the bugs had been reported to Apple one month before MOAB begun. Apple did nothing (and they've still done nothing). One of the exploits was already in the wild (real-world machines being compromised) and MOAB simply reported it. Apple still hasn't fixed that one either.

        Citation please.

        Two bugs are related to stupid design decisions in Safari that date back two years and Apple still hasn't fixed those faults.

        This is incorrect. Several of the bugs (as they list them) take advantage of a design

  • by jpellino ( 202698 ) on Wednesday January 24, 2007 @10:24AM (#17737798)
    This fix is in line with the typical timing and attention given Apple security updates - relatively quick and competent.

    This pretty much busts MOAB's claims of Apple's ignorance and/or hostility at bug reports.

    Apple has been doing better than most, fixing 99.9% of their problems through their established channels without MOAB's brand of nonsense. Count all the bugs fixed thru the normal dev bug report process. Count all those fixed by MOAB's. Compare.

    IIRC nearly a third of their "Apple Bugs" are 3rd party problems to begin with.

    MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.

    If Apple users make you cry, go kick your tires.
    You want the world to believe that you're a responsible developer that anyone will listen to or hire, prove it in daylight.

    • Re: (Score:2, Informative)

      MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.

      This may be true and there may be better ways (using the Bug Report server for example), but if the end result is getting these problems fixed and a better system out of it, then I am happy with the effort put into it.

      Maybe we need something like this for Linux and Windows?
    • Re: (Score:3, Informative)

      This fix is in line with the typical timing and attention given Apple security updates - relatively quick and competent.

      Not sure I'd agree with that, actually. Apple is generally regarded as being slower than Microsoft at patching problems. According to the MOAB folks the QuickTime HREF universal XSS was patched slowly and then only for MySpace (huh?). Plugin XSS is pretty serious! It's possible they got better, but according to this study from 2006 [washingtonpost.com] it took them 91 days on average to fix known exploits.

      • by 99BottlesOfBeerInMyF ( 813746 ) on Wednesday January 24, 2007 @11:21AM (#17738664)

        Apple is generally regarded as being slower than Microsoft at patching problems.

        Yeah, I've read those studies in detail. The Window of exposure for exploits was much higher with Microsoft products and they only cover publicly acknowledged security bugs. My info says less than half of the security bugs MS finds internally are fixed ever. I don't know about the situation at Apple.

        ...but according to this study from 2006 it took them 91 days on average to fix known exploits.

        You're confusing the term "exploit" with "potential vulnerability." A lot of Windows vulnerabilities are disclosed when someone notices an exploit in the wild. This has never been the case with Apple, as far as I recall. The window of exploitation is the time between when blackhats start exploiting a hole and when the vendor fixes that hole. That is the number that counts and MS is way behind on it.

        Yes, of course, it's silly to call it the "Month of Apple Bugs" when they are also reporting exploits in third party software. Unfortunately, it's also understandable - the fact that many security problems in Windows are caused by third party software does not stop people blaming Microsoft for the insecurity of the Windows platform.

        Yeah and if an uninformed guy off the street confused these I'd understand, but these are supposed to be security researchers. When that happens, it isn't a mistake, it is knowingly promoting a falsehood.

        Given that quite a few of these third party exploits are privilege escalation (eg instant root), it is Apples problem.

        Certainly I'm all in favor of Apple finishing their MAC implementation and locking down applications and threads, but the chances of being exploited right now is so small that it is not an issue for customers yet.

        I quite agree that these "Month of X bugs" things seem to be quite irresponsible and even immature. I'm not sure what the point of them is, except to make a bad situation worse.

        The point is to generate press for the "researchers" at all costs, even if it means promoting the creation of worms in the hopes that they can get more press out of that.

  • Maybe this [wikipedia.org] is Apples strategy to any future iPod pre^H^H^Hcontenders.

  • Submitter might want to read the Apple article that was linked to. It specifically mentions MOAB and where to find the QT file.
    • Submitter might want to read the Apple article that was linked to. It specifically mentions MOAB and where to find the QT file.

      I did in fact read the link, and I stand by my statement.

      "Description: A buffer overflow exists in QuickTime's handling of RTSP URLs. By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution. A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-0

  • Any other vets out there who keep reading these headlines about the MOAB and wondering how Apple's Cupertino campus survived the "mother of all bombs"? I mean, you gotta love those later-day daisy-cutters and once you've seen one of those things falling out of a C-130, the MOAB acronym just doesn't work for anything else.
    • by Zordak ( 123132 )
      I've never even been in the military, and that's the first thing I thought of. But then I did formerly work for a defense contractor.
    • I'm no vet, but that's the first thing I thought of when seeing the acronym. Some time ago I caught a Discovery Channel show about the MOAB. The show also talked about a new device that was deployed from an aircraft like a bomb, then split apart and threw out hundreds of these spinning discs that communicated amongst themselves and then started firing at targets. They showed a brief demo of one of the devices taking out an entire tank column.
  • Response? (Score:3, Interesting)

    by UnknowingFool ( 672806 ) on Wednesday January 24, 2007 @11:40AM (#17738898)
    Apple has released what appears to be the first security update as a result of the "Month of Apple Bugs.

    I don't know about that. Apple releases updates routinely and seem to be on a monthly schedule. I wouldn't say it was clear case of cause and effect.

    • http://docs.info.apple.com/article.html?artnum=304 989/ [apple.com]

      The summary is wrong. Apple specifically said that the fix is in response to a report from MOAB.
      • Re: (Score:3, Informative)

        The summary is wrong. Apple specifically said that the fix is in response to a report from MOAB.

        To clarify, they say it was made public on MOAB's Web site. They did not say it was in response to that announcement, nor did they imply that MOAB had reported the problem to Apple, via the normal bug report channels.

    • This is true, and I've argued that point several times. In a way, I contradicted myself when submitting the summary, stating that it appeared to be a result of MOAB and then saying it didn't appear to be explicitly a result of MOAB.
  • Lots of comment... (Score:5, Informative)

    by shawnce ( 146129 ) on Wednesday January 24, 2007 @11:48AM (#17739044) Homepage
    I am see several comments from folks stating that they are surprise that Apple is taking steps to patch issues ("taking it seriously", etc.). I find that a little strange comment given that Apple is actually rather good about addressing vulnerabilities that others report to them and give them credit (if they reported it to Apple). Granted Apple's general no comment policy [apple.com] until investigated and patched can be a little annoying if you report an issue and would like to know more but that policy doesn't mean that Apple doesn't take security reports seriously.

    Just review all of the attribution Apple has given for the many vulnerabilities they have addressed over the years. For example look at the security release announcements for 2006 [apple.com] (mailing list archive).

    As a side note a few MOAB issues are centered on group admin writable locations that can be used to take over the system is you have local access (possibly via a remote exploit). It may take Apple a little while to address this type of issue given the possibility of permission changes causing Apple and 3rd party software (installers most likely) to fail for customers. Luckily a few new security related feature will debut in Mac OS X 10.5 that will make this type of attack harder to pull off (us 3rd party developers should adopt them ASAP).

    A brief listing...

    CoreGraphics
    CVE-ID: CVE-2006-1444
    Available for: Mac OS X v10.4.6, Mac OS X Server v10.4.6
    Impact: Characters entered into a secure text field can be read
    by other applications in the same window session
    Description: Quartz Event Services provides applications with
    the ability to observe and alter low-level user input events.
    Normally, applications cannot intercept events when secure event
    input is enabled. However, if "Enable access for assistive
    devices" is on, Quartz Event Services can be used to intercept
    events even when secure event input is enabled. This update
    addresses the issue by filtering events when secure event input
    is enabled. This issue does not affect systems prior to Mac OS X
    v10.4. Credit to Damien Bobillot for reporting this issue

    Keychain
    CVE-ID: CVE-2006-1446
    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS
    X v10.4.6, Mac OS X Server v10.4.6
    Impact: An application may be able to use Keychain items when
    the Keychain is locked
    Description: When a Keychain is locked, it is not possible for
    applications to access the Keychain items it contains without
    first requesting that the Keychain be unlocked. However, an
    application that has obtained a reference to a Keychain item
    prior to the Keychain being locked may, in certain
    circumstances, be able to continue using that Keychain item
    regardless of whether the Keychain is locked or unlocked. This
    update addresses the issue by rejecting requests to use Keychain
    items when the Keychain is locked. Credit to Tobias Hahn of HU
    Berlin for reporting this issue
    .

    GDB
    CVE-ID: CVE-2006-4146
    Available for: Mac OS X v10.4 and later
    Impact: Opening a maliciously-crafted DWARF binary with GDB may
    lead to arbitrary code execution
    Description: GDB, the GNU Debugger, is susceptible to multiple
    vulnerabilities that may lead to arbitrary code execution when
    loading maliciously-crafted DWARF binaries. This update
    addresses the issues by performing additional validation while
    handling DWARF binaries. Credit to Will Drewry and Tavis Ormandy
    of the Google Security Team for reporting this issue
    .

    etc.
  • by Anonymous Coward
    ...by doing security review and finding some flaws that shouldn't be there in OS X.

    We value OS X for its security and Unix-derived security and stability. How can you all claim to be good Commie open-sourcers like Stallman is and still oppose any peer-review that leads to the improvement of one or more BSD distro's security?

    Many of these flaws are common on all platforms. OS X developers will have to be more careful in coding as this review shows. If we want to go on being secure on our virus-free platf
  • by gsfprez ( 27403 ) on Wednesday January 24, 2007 @01:11PM (#17740424)
    many of the bugs are problems that are just outright bizare in thinking of how they'd get executed.

    "Here is a malformed HFS+ filesystem that can potentially cause a kernel panic and cause arbitrary code execution. you should all be quaking in your boots."

    now just one damn minute... first, you have to get me a DMG, which, apparently, will instantly panic the kernel. Fine. so what? In real life, i'd throw out the dmg file, download it again, it would panic again, and i'd give up.

    I'm missing (and it could just be me) how that's in any way exploitable in any meaningful sense.

    i think the problem is that MOAB is putting on a show of bugs.. and nothing more. These are bugs that either made it past the guys in Cupertino, or they just didn't see them as that big of a deal, and figured they'd get to them eventually.

    Some of these bugs are bad and could cause Macs the world over to get pwn3d and get used to do whatever you can do with an pwn3d Windows box. Fine.

    But many of them are just, well.. bugs that causes the system to crash. So the hell what? Without some kind of setup and extreme set of circumstances, the majority of the bugs here crash your system, and then you reboot...

    Microsoft's problem has been "be a user on the internet with their software, get pwn3ed." I'm trying to see which of these bugs would give Mac users similar "functionality".

    #21 requires a local user to take advantage of this escalation problem - on a machine that they are probably already the only user of

    #20 is the same thing... as is #8, and #15.

    the bulk of the others are "DoS, cause computer to crash with possibility of arbitrary code execution..." and that assumes the panic condition is consistent.

    the only actual scary ones are #19 (not apple's software, and i don't even know if it could actually allow arbitrary code execution), #17, #1 (now fixed), #2 (not apple, and fixed), #4, and #20... so, 6... and 4 are left.

    this is just stupid.. my machines are still buck naked on the internet, and i'm still not scared at all.
    • these bugs can cause arbitrary code execution because they are crashes that happen deep in the kernel. if you sculpt your malformed input correctly the instruction pointer will actually hold the value of your input. if your malformed input is 01 02 03 04 05 06 07 08 09 (this is just an example) and the buffer over runs when it gets to the 04, then the EIP will be pointing to 05060708. the system will try to execute the command at 05060708. put the beginning of your virulent code at that location of memo
    • by marmoset ( 3738 )

      #19 is fixed [stevenf.com], and the developers somehow resisted the urge [stevenf.com] to slap the snot out of these jerks for not emailing them privately beforehand.

    • if you don't consider "DoS, cause computer to crash with possibility of arbitrary code execution..." to be a serious security issue you have very very low standards. They can crash your machine causing you to lose any data you have open and potentially they can get complete control over your machine instead if they can get the exploit details just right.

  • by toonerh ( 518351 ) * on Wednesday January 24, 2007 @01:22PM (#17740600)
    See their update notice [apple.com].
  • so... January is MOAB?

    but every month, including this one, is MOM$B
    ---
    jeez, these MOAB guys are real douche bags... too bad (for them) what comes around goes around

"The only way for a reporter to look at a politician is down." -- H.L. Mencken

Working...