Update: Ok, it's not even related to Apple at all. The recent one is targeting the open source VLC player. Odd, this "exploit" doesn't even crash VLC for me. It just says, "failed to open socket". Other people say they can crash VLC (and just crash). But nothing happens at all to me with VLC 0.8.6. Nonetheless, it's clear from this that these people are just trolling. 1. VLC isn't made by Apple and has nothing to do with Apple other than it runs on Mac OS X. 2. The same problem exists in the Windows version. 3. The default MP3 URL Playlist (m3u) handler is iTunes, which does not have an issue with the generated m3u.
Even more so, VLC is open source. If he truly, truly wanted stuff to be more secure, he could just fix it himself. But he's trying to troll for attention. So he won't fix it, he'll just advertise it.
Remember, just because something crashes, does not mean it is exploitable. For example, the DMG kernel panic isn't exploitable. The system is having its state corrupted, recognizing it, and halting. So it just amounts to a denial of service attack. By that, I mean denying you from downloading porn on the internets until they reboot.
Only one of the 23 people I've talked to actually got this QuickTime streaming exploit to speak anything. It seems to be pretty machine specific. Everyone can get it to crash QT Player, however. In order to get it to work (by work, I mean to run the exploit), it has to do two things. 1. Make the code executable. 2. Get the code to actually run. Number one is usually quite difficult and it's what makes this example a crapshoot.
So anywho, the awesomely awesome Landon Fuller saw this problem and decide to write an APE module to fix it. Many kudos to him. See, this is the exact kind of legit use I like to see of Application Enhancer. Namely, fixing bugs in third-party, closed-source software. Just like the "fixes" released here such as iSWAD (obsolete, Apple fixed this bug in iSync 2.2 released with Mac OS X 10.4.6), SPWW (still relevant for Preview.app), and FontCard (which fixes a bug in Font Book that causes it to be unusable if specific fonts are installed). And lets not forget PD Tweaker 1.0 from the lovely Drew Thaler.
Of course, the source code to Landon Fuller's fix is available. He also says he'll update it as more attention grabbing crashers are released.
If you compile it yourself, please note that it has to be fat in order to load on the ICBMs. APE will not load single architecture plugins on the ICBMs. This is by design. Also, you'll need to install APE in order to use Landon Fuller's fix. You'll need the APE SDK if you want to compile it yourself. His code is pretty dang easy to read and very short. Which is just teh awesome.
Important Note: QuickTime Link (qtl) files will not load in the browser and always open the QuickTime Link file type handler. This is by design. The QuickTime plugin itself never sees it. Thanks to a very wise person that pointed me to this. Sadly, I can't remember who it was. I know so many very wise people.
Read about and Download the Fix by the talented Landon Fuller.
Look's like Landon Fuller has updated it to include the VLC fix. This update is a bit different in that it waits for the components with the bugs to be loaded instead of loading them before hand.
Rather than updating this post every day, I highly, hight suggest you subscribe to his RSS feed. That way you'll know exactly when he updates the APE Module. It's also really neat that he's using the same APE Module to handle all the bugs.
Posted by rosyna at 10:49 PM
| Comments (11)
| TrackBack (1)
Related:
- Hiya Kids, it's Theming Time! - Oct 06, 2009
- Mighty Mouse with Some Theme Sauce - Jun 02, 2009
- WindowShade X 4.3 - Apr 24, 2009
- Sound of the Underground - Apr 20, 2009
- Welcome back. - Apr 17, 2009
Isn't it sad that such a great/simple technology which allows end users and developers to fix stuff on the fly very easily is also victim of trolls? Yes, I speak about APE.
Also I suggest think deeper about why month of kernel bugs thing appeared... Some of those guys got seriously trolled by zealots for months. So this month of troll thing may have begun because of trolls already. :)
I hope Apple/VLC/Real (anyone tested?) will review their code regardless how it appeared. I am afraid of those Web 2.0 troll/practical joke heavens and the fact that RTSP is a legit protocol which is used by everyone except the Microsoft (doh). It is a documented, open protocol (RFC 2326) and many websites rely on it to serve content. http://en.wikipedia.org/wiki/Rtsp
Happy new year all and thanks both to Mr. Fuller and Unsanity.
It's true that qtl files are not opened by QT plug-in, but unfortunately just renaming them with a ".mov" extension makes the plug-in load them.
Yet again a very nice and informative post, thanks :)
the videolan guys will certainly become aware and "fix" the code even if the problem is not exploitable.
There is no better player for a portable mac (vlc uses extremely few cpu power to do its stuff)
Posted by: Anunnaki on January 3, 2007 3:23 AMOkay, but why do you always post that picture of the girl? Am I missing something? :)
Posted by: Mark on January 3, 2007 9:16 AMHe likes the girl. It’s the one interesting photo he’s managed to take. Just be glad he isn’t serving up the full-sized TIFF he keeps pimping on IRC. :-)
Posted by: Ahruman on January 3, 2007 12:47 PMHa ha. Owned!
It couldn't have happened to a nicer bunch of pompous assholes.
Just because it crashes doesn't mean it's exploitable!
You guys fucking SUCK at writing software. Jesus what a joke!
Posted by: You have egg on your face on January 9, 2007 12:10 AMIt looks like Rixstep idiots hated the easy fixing of bugs via APE, they bla bla about APE on their site.
BTW homophobic comments at MOAB site from start reminded me Rixstep, now I am kinda sure.
Another thing?
"Latest antivirus definitions for VirusBarrier X4
OSX.Rooter.BlackCat.A"
Well, you can't sue anyone for publishing exploits to script kiddie lamers but you can (and FBI will!) sue if there is involvement with that "team" and exploit coder script kiddie lamer.
Actually, the latest MOAB post describes a vulnerability created by APE itself. APE has always seemed like an excellent privilege escalation vector, and todays's MOAB pretty much confirms this. There's no question that the MOAB guys are displaying an alarming level of childishness at this point, but that doesn't negate the security issues introduced by APE.
I came here to see if I coulkd find a response from Unsanity. At this point, lacking an immediate fix, it seems to me the only responsible thing for Unsanity to do is post a recommendation on their home page that everyone using APE immediately disable it until further notice, and spread the word out to every Mac news site. The hack described in today's MOAB is extremely serious - it's pretty much as bad as it gets. I'd be willing to bet there's quite a few script kiddies (and script middle-aged-guys) working on a method of distributing an exploit for this bug even as we speak.
Disabling APE won't resolve the underlying issue, but it will at least downgrade the threat level somewhat. I sure as hell hope that Apple patches the root cause soon, cause this could be ugly.
In any case, Unsanity should do the right thing, and do it immediately. There's no question this issue is laid at their feet.
Posted by: Is on January 9, 2007 6:25 AMRosnya, you're such an ass. You foist the most insecure technology on the OS ever, kiss the butt hole of Landon Fuller for the free publicity it gives your stupid product, and then play holier than thou. You should be quarantined. Shame.
Posted by: Xune on January 9, 2007 6:25 AMI am a paid supporter of Shapeshifter and I must admit that I am ashamed to have paid for this software that is produced by a company that acts like this.
You're acting like a spoiled brat who was just told your toy isn't perfect. Grow up.
Your application enhancer isn't perfect, nor should it be. You're not a security expert and therefore you may unknowingly leave some potentially exploitable code in your application.
That being said, you're acting like a whiny bitch about all of this.
Quite frankly a fair amount of the Mac community is acting the same way(their is a freakin surprise). Your precious little OS is not perfect, it's not without flaws, and when someone points out the potential problems instead of being a brat about it why not fix the problem and thank the person for helping you to make a better application down the road.
Posted by: xxdesmus on January 9, 2007 8:13 AMKeep comments on topic. If a comment is unrelated to this post, it may be removed or moderated.