MacDailyNews - Where Mac news comes first

Nov 26, 07 - 12:20 am Comment from: silverhawk

Social engineering and reported by Symantec. A fool and a fool looking for money.

Nov 26, 07 - 12:43 am Comment from: TowerTone

Saying something "opens Windows XP, Vista to attack" is like saying "there is a hole in my Windowscreen"....


It was just made that way.
And it seems that bugs always find a way in through the screen.

Nov 26, 07 - 01:37 am Comment from: Road Warrior

Actually that gaffe comment should read :"A gaffe by Small Impotent Prick developers (aka Microsoft), however, makes attack easier on Vista, since they let programmers disable the super complex but still ineffective said Address Space Layout Randomization (ASLR). People from the AFZ (Acronym Free Zone) are still trying to figure out what exactly ASLR means."

Nov 26, 07 - 03:44 am Comment from: kikamouse

I have absolutely no problem with Apple creating FUD on their next Get a mac ad. Unfortunately Reality Check you make it sound as if Microsoft has never done such a horrible thing. The truth is Microsoft has done far worse than this. For anyone to say Apple is incapable of this nor would never do this I think is naive. I do believe that Apple's customer base is far more critical than the Microsoft Fan base. I work at a retailer that sell both Macs and PC's. By far the Mac community is far less tolerable to slight of hand tricks by Apple when recognized than the Microsoft Client base. People just accept the Microsoft as "Good enough" to even concern themselves with any moral dilemma such as a FUD campaign and accept what Microsoft shovels in their mouth for face value. It is sad to see this every day when consumers in general should be more demanding of their products. I think overall Apple is the most responsible company out there in the Tech industry. To say they never do anything morally wrong or no FUD campaigns is pushing it too far in my opinion.

But also keep in mind Apple is the biggest software developer for Microsoft outside of the Redmond buildings. To make such a vulnerability in their software would bring into question everything Apple is trying to accomplish: Simply getting a mac is better than getting a PC. Apple is trying to make good software available on the PC for people to consider Apple as a serious competitor to Microsoft. That's it! Apple is forcing Microsoft to play on a level field which Microsoft has never historically been good at doing. Apple is simply playing to Microsoft weaknesses and making the vulnerabilities of Microsoft, strengths on the Mac platform. Thank goodness with a company like Microsoft, there are plenty of problems to chose from. Microsoft has become a fat lazy company that values the relationship of their partners more than the relationship of the actual consumers that keep Microsoft alive. I honestly hope that Microsoft can see the error in its ways and have some time to correct itself. So far though, this is not the case. There is plenty of room in the computer industry for many more platforms to exist other than Microsoft and Apple. Unfortunately, nothing has come up yet that is truly seen by consumers as a viable alternative. If Microsoft stays on top, this gives Apple clear motivation to continue to improve and inovate all of their products. If Microsoft goes under, then it is likely Apple, could become potentially another microsoft. Apple's fan base would abandon Apple far earlier before Apple became that fat and lazy.

The truth is, Apple needs Microsoft to continue to compete on a level playing field. The same truth is, Microsoft cannot survive long with Apple innovating the way they are doing right now and marketing as horrible as they are. To see how Microsoft is becoming a sad worthless company only helps Apple. Microsoft is seen as a generic distant second place to Apple in the eyes of many consumers. In fact, enough consumers see Microsoft as a distant second to Apple to help Apple flourish in the shadows of Microsoft. This is the same thing that happened to Apple when Microsoft was starting out. Apple was too arrogant under John Scully to realize the power Microsoft had to completely revolutionize the PC market the way they did. Now the tables have turned and Microsoft is too arrogant to see Apple thriving on Microsoft's Short comings.

ASLR is not something that M$ can lay claim to as the term was invented by the PaX project back in 2001/2 for Linux. However the fundamental principle of Address Space Randomisation has been in use in secure computing systems for over 30 years predating interest by any of the aforementioned groups. It is a standard military systems technique and while it sounds good is of limited, very limited, benefit. Essentially it is a security through obscurity approach on the assumption that if you cannot find all the bits of the system thread you wish to attack then you cannot attack. Clearly this will help prevent a very small number of attacks, but given the vast memory capacities now in use by most systems, an analysis of memory space is reducing in interest for the majority of hack attacks. The randomisation itself is still at block granularity level no matter whose system you go with and buffer overflow and related attacks can still do their stuff within one block. As address space increases so does the size of memory blocks and the consequent reduction in effectiveness of this technique.

So I for one am not getting excited about it.

Nov 26, 07 - 07:29 am Comment from: TFB

Wow, so this Security feature for Vista requires Vista-specific mods to any Software to be of use? I wonder how many others use the feature.
Is it just a matter of changing a compiler flag, or are code-changes necessary?
"Apple's forgetfulness prompted Symantec analyst Anthony Roe to note: 'This makes reliable exploitation of the vulnerability a lot easier."
Was it forgetfulness or just market-realities? Would Quicktime have to be significantly modified to use ASLR? How many others use this Feature? Does Reality Check know more about this to be so judgmental? If so, please explain the technical aspects of making Quicktime compatible with Vista and ASLR.
Otherwise, stop trolling.

Is there anything that DOESN'T open Windows to an attack?

Nov 26, 07 - 07:38 am Comment from: TFB

"Is there anything that DOESN'T open Windows to an attack?"

The "Off" button?

TFB says it all!

Well said indeed.

Nov 26, 07 - 09:33 am Comment from: Shinobi

This QuickTime zero day also affects all versions of Mac OS X too.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1283598,00.html

Read at the link below that QuickTime has had 31 reported vulnerabilities this year. Come Apple do some code scrubbing before releasing. Make you wonder how many more zero day flaws are hiding in the rest of Apple's code.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=software&articleId=9048678&taxonomyId=18&intsrc=kc_top

Also believe it or not, Leopards implementation of ASLR is more flawed than Microsoft. Its unclear why Apple severly crippled their implementation.

http://www.matasano.com/log/981/a-roundup-of-leopard-security-features/

Before all the troll name calling start read the last Article for your self.

Apple needs to beef up their code review for security issues and properly implement new security features. We need to keep the pressure on Apple to do more work on the prevention side.

31 QuickTime vulnerabilities in 11 months is ridiculous. OS X is a great base to build on, but Apple needs to do some serious code scrubbing before releasing software and get ASLR corrected ASAP.

Yes Apple fixes flaws quickly, which is great. But they need to focus on finding and fixing these flaws before releasing software for public use.

Of course they can't find all of them, but they can find more than they have been.

Nov 26, 07 - 09:48 am Comment from: Big Al

@ Shinobi

QuickTime vulnerabilities are being found now because Microsoft is paying Security Weenies to look for them. Apple happily uses this paid service to patch any vulnerabilities that are found.

Microsoft uses the numbers to point out that Microsoft products are more secure.

No one believes Microsoft's BS.

Windows continues to be exploited, Mac OS X does not get exploited.

It's a symbiotic relationship. Even you are making Microsoft bucks on the situation. Everyone is happy.

You have a point. It just may be that Vista is requiring other software to be super flexible just so it does not have to be. That Would smell of Microsoft.

I am curious as well.

en

Nov 26, 07 - 10:01 am Comment from: Shinobi

@ Big Al

That could be True....

But wouldn't it be more beneficial for Apple to do some code scrubbing in house for the protection of its user base and to maintain its reputation for security?

Microsoft has a horrible reputation for security, exploit after exploit for decades.

OpenBSD on the other hand leads the entire industry with only 2 vulnerabilities in 10 years. I would like for Apple to have that type of security History.

Nov 26, 07 - 10:06 am Comment from: Ampar

Isn't Vista just a 15 GB virus delivered by DVD?

I suspect that by fully implementing such measures in Quicktime on Vista would probably compromise the flexibility and usability of QT in ways that would put it (and no doubt many other developers have similar choices) at a disadvantage against WMV which no doubt has been given special advantages over outside software in direct access to this feature- if only by the time it has had to implement it in the 5 years of Vista 'development'.

Of course the fact that you can condemn Apple for poor security or/and give yourself a competitive advantage should they take compromising actions to prevent such accusations are I am sure purely coincidental. Generally the public isn't sophisticated enough to understand the full implications for outside developers in these matters.
Equally the fact that Apple is receiving much of the blame for this apparent 'flaw' at the hand of Microsoft's pet press shows RC's ludicrous contention that this is a deliberate ploy by Apple to be surreal even by his own delusional standards.

@ Reality Check

"ASLR is a feature MacOS Leopard implemented for the first time ... I guess we had all better ignore the fact that Microsoft implemented this important security feature first."

Lies from "Reality Check" -- believed, by the way, to be a pseudonym used by the Windows shill Paul Thurrott -- as usual.

Microsoft was most certainly NOT the first to implement address randomization. OpenBSD had it before, so did Linux. In fact:

"The first design and implementation (and indeed the coining of the term ASLR) was made public in July, 2001 by the PaX project."

http://en.wikipedia.org/wiki/Address_space_layout_randomization

Show me a Windows shill, and I'll show you a liar.

Nov 26, 07 - 12:21 pm Comment from: NewtonsApple

So, how many of these 31 "vulnerabilities" in QT have been exploited?

Nov 26, 07 - 12:40 pm Comment from: Shinobi

@ NewtonsApple

Okay lets take a reactive approach like Microsoft and wait until every attacker is also writing exploit code for Macs.

As you can see, Microsoft has never recovered.

If we want OS X to be the security fortress, then you can't afford to keep spilling blood in the water. It attracts predators. As most attackers know, where there is one vulnerability there are usually many more.

The 31 QuickTime vulnerabilities in 11 months, definitely proves that belief true. This hurts Apple in the long run as more attackers see that Apple does not scrub their code well before releasing it.

This makes OS X and Apple Software a more attractive target for zero day exploits.

Virus writers don't target the OS X or most *nix based systems because of its file permissions and user account domains make it difficult for the viruses to spread.

In the case of buffer overflows, all general purpose operating systems are susceptible to attack and have been for over 20 years. Releasing code that has so many buffer overflow attack vectors is shameful and not a good security practice.

Hopefully Apple becomes more proactive and not follow in the doomed Microsoft trail of just reacting.

Altogether now:

IT'S NOT A BUG, IT'S A FEATURE!

Nov 26, 07 - 01:15 pm Comment from: Ampar

"Keep on guessing - you got my first name correct. "

Paul Harvey?

And now we know the rest of the story.

"There was no word as of Sunday whether the Mac OS X versions of the media player are also vulnerable."

Until we Mac Fans know the answer to this question let's not gloat too loudly.

QuickTime does seem to have a lot of vulnerabilities popping up over the last couple years.

I am guessing that it's partly due to the age of the software - there's probably still code in there that was written in 1992, that was originally designed for the classic Mac toolbox and has since been hotwired into OS X and Windows. QuickTime also does a lot of low-level "black magic" to improve media performance (theft of some of this code was the subject of a lawsuit against Microsoft some years ago) which may also contribute to its tendency to host vulnerabilities.

On the one hand, it's impressive that QT has proven so versatile and has had such longevity. On the other hand, maybe it's time for a code review...

Nov 26, 07 - 07:01 pm Comment from: Shinobi

@Ryan,

Thanks for the input...That would make a lot of sense that the Quicktime code has perhaps quite a bit of outdated code in there from the early 1990's.

Nobody probably wants go back in there and potentially break something. However, all these Quicktime vulnerabilities are proving that there are a lot of holes in there. Maybe it is time that Apple does a code review and improve the code quality.

I can already see the next iphone Jailbreak using this flaw or another one hidden in there.

Nov 26, 07 - 07:08 pm Comment from: Road Warrior

@reality check who said

""first" was in the sense of 1st Microsoft, then Apple. Not in an absolute sense. Apologies for the confusion. In any event, it was only in response to the 4th poster who seemed to imagine that this was something Apple hadn't heard of."

I never said that Apple had not heard of ASLR. I said, and I quote. "People from the AFZ (Acronym Free Zone) are still trying to figure out what exactly ASLR means.""

I guess I should have added with big bold letters: HUMOR (Hilarious Useful Meanings Of Reality).

Duh.

Nov 26, 07 - 09:28 pm Comment from: Cubert

@Ampar,

Classic.