I guess I've a more basic question - what does a VLC bug have to do with a supposed Month of Apple bugs?
Alex
· 2 years ago
Somebody recently said that the only way to be Punk in LA anymore is to go to a big party and exclaim, "Say what you want about George W. Bush, but he's a really smart guy!"
Maybe the MOXB meme has made the only way to be Punk in Vuln. Discovery is to fix them.
KF
· 2 years ago
When I first encountered this bug I was unable to reproduce it on Win32 or Linux. I tested the vlc package for debian / ubuntu 0.8.4.debian-1ubuntu6. I also tested the most recent download of the windows version with zero indication that there was an issue.
Call me stupid... call me lame... thats all fine. It was a simple mistake on my part or perhaps something unique to my environment as I STILL can not trigger the issue.
The original bug was found via the URL handler by inserting udp:// into a web browser on OSX. On win32 the udp:// handler was not registered and thus did NOT kick off the VLC player. During exploit development we found that using the browser caused some filtering to occur and we could not supply the return addresses we wanted. At that point we moved to the .m3u format.
I have been told that rapidly and repeatedly double clicking a .m3u on Windows triggers the issue... sorry I missed that.
So to answer your question.... it was the only platform I could reproduce the issue on. Also there was a small amount of hoopla in December over the new VLC player that supports .wmv files on OSX.
Regards. -KF
Thomas Ptacek
· 2 years ago
Kevin, why didn't you FIX THE PROBLEM when you released the advisory?
KF
· 2 years ago
You know how to get ahold of me Thomas... feel free to IM me any personal questions you have.
But to answer your question... Rémi Denis-Courmont was already on the problem since we had discussed the issue. Also... in the DigitalMunition Advisory that you will see once I am done being DDOS'd points to http://trac.videolan.org/vlc/changeset/18481
Someone else mentioned to me today that this bug was disclosed at security conf in europe in December... so feel free to ask that fellow why he didn't provide a patch, or even bother to notify VLC. Also feel free to ask anyone in the room during this talk why they did not take the time to do so either...
Thomas Ptacek
· 2 years ago
But you posted an advisory and an exploit for the problem. You're not a bystander.
one.miguel
· 2 years ago
"Here’s Dave Maynor on the first MOAB finding, a genuinely bad QuickTime flaw: “This is one of the most dangerous bugs in Apple I have ever seen.” Unintentionally revealing? Presumably that includes LMH’s “DMG remote kernel hole”, and his own MacIntel wireless finding from Black Hat, both of which apparently rate at-or-below a clientside stack overflow in a video player."
I would think that the attack vector of someone web browsing and getting whacked is more serious than a wireless driver attack where you need to be within radio range of the victim. Remember VML and WMF? Compromise a popular web server and you get thousands of slaves.
Chris W.
· 2 years ago
I think this OS X bug, http://www.ciac.org/ciac/bulletins/o-138.shtml found by DaveG which allows remote admin privs is much worse than a QT client bug. Before the advisory was released I did some quick scanning and found a major university in the Boston area that had 400 machines vulnerable.
Thomas Ptacek
· 2 years ago
That's one explanation, but there's a reason Maynor's announcement got so much press coverage and the Quicktime finding isn't going to get any.
That said: I'm being deliberately snarky because I'm irritated that Maynor is sticking up for MOAB.
one.miguel
· 2 years ago
"That said: I’m being deliberately snarky because I’m irritated that Maynor is sticking up for MOAB. "
Really? I can't tell. LOL. :-)
whocaresaboutpresscoverage
· 2 years ago
"That’s one explanation, but there’s a reason Maynor’s announcement got so much press coverage and the Quicktime finding isn’t going to get any.
That said: I’m being deliberately snarky because I’m irritated that Maynor is sticking up for MOAB."
Sounds to me like someone is upset they haven't been in the press lately, and their thunder is being taken from them. :)
dre
· 2 years ago
there is a big difference between MoBB and MoAB/MoKB. I doubt LMH is getting several rounds of beers and respect for this from Apple like hdm got from Microsoft.
plus, I don't see this as full-disclosure at all. somebody please explain to me how this doesn't encourage the hoarding and delaying of vulnerabilities? if anything, this severely lengthens the vulnerability and exploit lifetimes, which is just as counter-productive as Apple's lack of response.
Steve
· 2 years ago
Great post. While the apple bug is serious, it is not the most serious and there we have Maynor over blowing and creating FUD about an issue. Seems to be par for the course is it not?
I think the only real value in these MOXB campaigns is that it does give the vendor a kick in the ass to perhaps start dealing with security in a more realistic and responsive manner. Too bad there is yet to be any evidence that it actually does this.
ChrisR
· 2 years ago
I am still failing to understand what VLC has to do with Apple and what apple developers are supposed to do about it. I dont use OSX, does VLC come bundled with it? If not then why is that advisory part of the MOAB? I thought MOAB was in response to slow apple patch times? I understand the quicktime bug, apple can do something about it. But please someone explain the reasoning for the VLC bug. Also it appears to work in linux as well, but im too lazy to go beyond segmentation fault on this one.
Andrew Jaquith
· 2 years ago
Wow, Tom. You've really got your snark on today. I like it.
The only thing I've concluded over this month's (abortive?) Bug cornucopia is that Kevin and LMH have figured out how to use a fuzzer. I am not sure what they are trying to prove, other than generate publicity for themselves.
More to the point -- if the issue really is about fostering a "more concerned (security-wise) user-base" and "better practices from the management side of Apple" I'd like to know how this achieves those aims. LMH/KF say that "responsible disclosure" isn't an option because it would grant various parties, presumably Apple, "insane amounts of time" before things got fixed.
A fair argument, but I don't buy it. I hate to be like Nick Naylor in "Thank You for Smoking," but where are the data? And what constitutes "insane" amounts of time? At least with eEye's "Upcoming Advisories" a "Zero-Day" tickers (which I like) you can see the elapsed time, and judge for yourself about whether the vendor is being reasonable or not.
Honestly, when I hear an inflammatory statement like "insane amounts of time" you'd think that the party making the statement would substantiate it with facts. But they don't, probably because they can't. I am genuinely willing to have my mind changed, but until I see some data I regard this whole thing as 90% stunt, 10% altruism.
Doesn't really surprise me. (Sorry Thomas, it's probably at least partly my fault that it's you that he's on about.)
And like everyone else, I'm puzzled as to how a VLC bug gets classified as an "Apple" bug. Maybe it is only easily exploitable on OS X, but VLC doesn't come with OS X and it seems to me that people trying to play wmv files on OS X are much more likely to be running Flip4Mac.
It does seem a shame that LMH and KF don't expend more effort on actually fixing the bugs rather than providing people with pre-written exploit code that could be used for nefarious purposes. Particularly as they aren't giving the vendor(s) any time to actually fix the problems before releasing their findings.
Still, Brandon Fuller seems to be trying to provide fixes for things they find:
I contemplated doing that myself, but I'm not sure I have the necessary time. Maybe I'll have a go at one if I spot something I'm interested in, we'll see.
alastair
· 2 years ago
For some reason I wrote Brandon. Anyway, it's *Landon* Fuller, not Brandon. Apologies Landon.
David Maynor
· 2 years ago
@Steve: I don't think its FUD at all. I think its one of the more dangerous bugs I have seen for Apple because it is one of the first bugs I have seen that could actually be exploited by REAL malware. As shown with the MySpace worm a few weeks ago, malware authors are adept at quicktime vulnerabilities. It wouldn’t be too hard to build a script that determines your browser version and serves up an exploit for either Apple or Windows. To me that sounds like a little more than FUD…
Thomas Ptacek
· 2 years ago
I agree with Dave on that point, in case it seems from my post that I don't.
Rosyna
· 2 years ago
I have to disagree with David on that point. The QT Javascript thing is a bug in the browser, not QuickTime. The QT plugin just passes the javascript to the browser. The plugin is loading javascript from a remote site, the browser should recognize this. So the MySpace thing was exploiting the fact IE didn't check to see if ActiveX controls loaded resources out of the current domain.
I particularly enjoyed the quote from Dave Marcus (McAfee's "Security Research and Communications Manager"), where he says
"These guys were superstars in computer security before they were doing the months of bugs. I think they honestly do it in the thought of serving the community."
Presumably by releasing working exploit code so that spammers can enlarge their bot-nets, thereby easing the distribution of viruses and spam, both of which are things that are clearly in great public demand these days?
(And why is there now a Windows-specific exploit on a Month of *Apple* Bugs? Especially if MoAB is there to "discourage smugness" amongst Mac users?)
David Maynor
· 2 years ago
@Rosyna How does your explanation in any way negate my point that malware authors are adept at turning these types of bugs into real malware? The Myspace worm example was given to show that 3rd party apps have been targeted by malware authors who make use of them. You must have jumped to the conclusion because I mentioned it I think they are the same type of bug, I don’t, but thank you for you very concise analysis of how it worked.
Thomas Ptacek
· 2 years ago
Alastair, I had forgotten that LMH is a superstar. Oops. The worst part about this "debate" is that it puts me in a situation where I appear to agree with Pete Lindstrom.
Pete
· 2 years ago
That is scary. Guess you better update your punditcon graphic ;-) And actually, while I still harbor my standard beliefs (and will be on a panel debating responsible disclosure at RSA), in this case I at least see some "value" in bursting the bubble that Mac addicts have about the security of their solution. Of course, if the bugfinders fail, it will add greater fuel to the fire.
I of course defer to you and others to keep me honest on the likelihood that these guys will succeed technically and what that means to the never-really-answered "what platform is more secure?" debate.
Thomas Ptacek
· 2 years ago
I'm not sure I see the value in bursting the bubbles of Mac end-users. Is anyone really laboring under the misperception that the average Mac OR Windows users really understands the issues involved in computer security?
The fact of the matter is, moving from Windows to Mac WILL reduce the gross number of hours you spend every year dealing with security issues on your computer, probably by a lot. That the reduction doesn't occur for the reasons John Gruber says it does is hardly relevant, at least not to my Mom.
Pete
· 2 years ago
I admit that there is a bit of spite in my opinion, likely in the same way bugfinders are sometimes finding bugs out of spite. In any case, there are smaller enterprises that are making O.S. choices based on security even though they *don't* understand the issues (perhaps IE vs. Firefox is slightly analogous here). To whatever extent there is an upswing in Mac adoption (not likely) it becomes a bit more important.
I still think that root cause is still important - i.e. is this fact due to inherent properties of the O.S. or is it simply based on the level of attention that bugfinders give to a particular O.S. Else, it is a fishtailing target out of the control of the enterprise.
Mac
· 2 years ago
In this day in age we still argue about what is good and bad. Regardless of the fact that these people found the issue and are reporting it, there are 100 other people who find it and exploit it.
I say stop the MOXB and let the hackers shows companies the holes. See how many people complain then. If the white hats and/or grey hats stopped reporting to companies, we would be very quickly a botnet contolled internet.
These people who report are doing a service. Apple and others have been very slow in the past at patching and as of only recently begun to patch at a faster rate due to MOXB.
What is nice about MOAB is that it has finally shut my friends up about Apple being safer than any other OS. They have always boasted that they will never be hacked. As of yesterday, my buddy found he was no longer in control of his machine. I laughed.
No one vendor or OS is invulnerable. Everything has bugs. Not all can be fixed. But at least code check your software prior to release.
Thomas Ptacek
· 2 years ago
One of my big arguments against MOAB is that shutting your friends up about Apple security is not a particularly important goal, especially weighed against the costs of muddying the waters more on disclosure.
The "nobody's invulnerable, everybody has bugs" argument is one of the most toxic in security. If you believe everyone's qualitatively the same, you wind up where Lindstrom did; we might as well stop finding bugs altogether.
KF
· 2 years ago
Does anyones grandma or mom or friend for that matter refuse to install patches because they "change the way things look" or because they do not see the benefit of installing the patches when there is not such thing as mac malware or exploits, viruses and the like?
Just currious.
My mom infact recently sent me an email and said something along the lines of "So... I guess I should start getting used to installing updates instead of clicking cancel eh?" You know why she is said that? Take a guess as to why ...
-KF
Thomas Ptacek
· 2 years ago
Ok I'm going to suggest that KF's Mom probably pays a little bit more attention to computer security than, say, my brother's mother-in-law, or 99.999% of other Mac users.
I do like how aggressive Apple is about pushing fixes through software update.
Chris_B
· 2 years ago
Pretty darn soon there will be a waiting list for the Maynard & Crabs Security Dude Ranch what with all the MOXB crowd just waiting to get in. Sign up now and get a room with a view of no cattle and a complimentary genuine Stetson 15 gallon hat at no additional cost.
Xune
· 2 years ago
Ptacek (is it possible to even say that) you really need a hysterectomy.
All Comments
Maybe the MOXB meme has made the only way to be Punk in Vuln. Discovery is to fix them.
Call me stupid... call me lame... thats all fine. It was a simple mistake on my part or perhaps something unique to my environment as I STILL can not trigger the issue.
The original bug was found via the URL handler by inserting udp:// into a web browser on OSX. On win32 the udp:// handler was not registered and thus did NOT kick off the VLC player. During exploit development we found that using the browser caused some filtering to occur and we could not supply the return addresses we wanted. At that point we moved to the .m3u format.
I have been told that rapidly and repeatedly double clicking a .m3u on Windows triggers the issue... sorry I missed that.
So to answer your question.... it was the only platform I could reproduce the issue on. Also there was a small amount of hoopla in December over the new VLC player that supports .wmv files on OSX.
Regards.
-KF
But to answer your question... Rémi Denis-Courmont was already on the problem since we had discussed the issue. Also... in the DigitalMunition Advisory that you will see once I am done being DDOS'd points to http://trac.videolan.org/vlc/changeset/18481
Someone else mentioned to me today that this bug was disclosed at security conf in europe in December... so feel free to ask that fellow why he didn't provide a patch, or even bother to notify VLC. Also feel free to ask anyone in the room during this talk why they did not take the time to do so either...
I would think that the attack vector of someone web browsing and getting whacked is more serious than a wireless driver attack where you need to be within radio range of the victim. Remember VML and WMF? Compromise a popular web server and you get thousands of slaves.
That said: I'm being deliberately snarky because I'm irritated that Maynor is sticking up for MOAB.
Really? I can't tell. LOL. :-)
That said: I’m being deliberately snarky because I’m irritated that Maynor is sticking up for MOAB."
Sounds to me like someone is upset they haven't been in the press lately, and their thunder is being taken from them. :)
plus, I don't see this as full-disclosure at all. somebody please explain to me how this doesn't encourage the hoarding and delaying of vulnerabilities? if anything, this severely lengthens the vulnerability and exploit lifetimes, which is just as counter-productive as Apple's lack of response.
I think the only real value in these MOXB campaigns is that it does give the vendor a kick in the ass to perhaps start dealing with security in a more realistic and responsive manner. Too bad there is yet to be any evidence that it actually does this.
The only thing I've concluded over this month's (abortive?) Bug cornucopia is that Kevin and LMH have figured out how to use a fuzzer. I am not sure what they are trying to prove, other than generate publicity for themselves.
More to the point -- if the issue really is about fostering a "more concerned (security-wise) user-base" and "better practices from the management side of Apple" I'd like to know how this achieves those aims. LMH/KF say that "responsible disclosure" isn't an option because it would grant various parties, presumably Apple, "insane amounts of time" before things got fixed.
A fair argument, but I don't buy it. I hate to be like Nick Naylor in "Thank You for Smoking," but where are the data? And what constitutes "insane" amounts of time? At least with eEye's "Upcoming Advisories" a "Zero-Day" tickers (which I like) you can see the elapsed time, and judge for yourself about whether the vendor is being reasonable or not.
Honestly, when I hear an inflammatory statement like "insane amounts of time" you'd think that the party making the statement would substantiate it with facts. But they don't, probably because they can't. I am genuinely willing to have my mind changed, but until I see some data I regard this whole thing as 90% stunt, 10% altruism.
Doesn't really surprise me. (Sorry Thomas, it's probably at least partly my fault that it's you that he's on about.)
And like everyone else, I'm puzzled as to how a VLC bug gets classified as an "Apple" bug. Maybe it is only easily exploitable on OS X, but VLC doesn't come with OS X and it seems to me that people trying to play wmv files on OS X are much more likely to be running Flip4Mac.
It does seem a shame that LMH and KF don't expend more effort on actually fixing the bugs rather than providing people with pre-written exploit code that could be used for nefarious purposes. Particularly as they aren't giving the vendor(s) any time to actually fix the problems before releasing their findings.
Still, Brandon Fuller seems to be trying to provide fixes for things they find:
http://landonf.bikemonkey.org/code/macosx/
I contemplated doing that myself, but I'm not sure I have the necessary time. Maybe I'll have a go at one if I spot something I'm interested in, we'll see.
I don't think its FUD at all. I think its one of the more dangerous bugs I have seen for Apple because it is one of the first bugs I have seen that could actually be exploited by REAL malware. As shown with the MySpace worm a few weeks ago, malware authors are adept at quicktime vulnerabilities. It wouldn’t be too hard to build a script that determines your browser version and serves up an exploit for either Apple or Windows. To me that sounds like a little more than FUD…
http://news.com.com/2100-1002_3-6147026.html
I particularly enjoyed the quote from Dave Marcus (McAfee's "Security Research and Communications Manager"), where he says
"These guys were superstars in computer security before they were doing the months of bugs. I think they honestly do it in the thought of serving the community."
Presumably by releasing working exploit code so that spammers can enlarge their bot-nets, thereby easing the distribution of viruses and spam, both of which are things that are clearly in great public demand these days?
(And why is there now a Windows-specific exploit on a Month of *Apple* Bugs? Especially if MoAB is there to "discourage smugness" amongst Mac users?)
How does your explanation in any way negate my point that malware authors are adept at turning these types of bugs into real malware? The Myspace worm example was given to show that 3rd party apps have been targeted by malware authors who make use of them. You must have jumped to the conclusion because I mentioned it I think they are the same type of bug, I don’t, but thank you for you very concise analysis of how it worked.
I of course defer to you and others to keep me honest on the likelihood that these guys will succeed technically and what that means to the never-really-answered "what platform is more secure?" debate.
The fact of the matter is, moving from Windows to Mac WILL reduce the gross number of hours you spend every year dealing with security issues on your computer, probably by a lot. That the reduction doesn't occur for the reasons John Gruber says it does is hardly relevant, at least not to my Mom.
I still think that root cause is still important - i.e. is this fact due to inherent properties of the O.S. or is it simply based on the level of attention that bugfinders give to a particular O.S. Else, it is a fishtailing target out of the control of the enterprise.
I say stop the MOXB and let the hackers shows companies the holes. See how many people complain then. If the white hats and/or grey hats stopped reporting to companies, we would be very quickly a botnet contolled internet.
These people who report are doing a service. Apple and others have been very slow in the past at patching and as of only recently begun to patch at a faster rate due to MOXB.
What is nice about MOAB is that it has finally shut my friends up about Apple being safer than any other OS. They have always boasted that they will never be hacked. As of yesterday, my buddy found he was no longer in control of his machine. I laughed.
No one vendor or OS is invulnerable. Everything has bugs. Not all can be fixed. But at least code check your software prior to release.
The "nobody's invulnerable, everybody has bugs" argument is one of the most toxic in security. If you believe everyone's qualitatively the same, you wind up where Lindstrom did; we might as well stop finding bugs altogether.
Just currious.
My mom infact recently sent me an email and said something along the lines of "So... I guess I should start getting used to installing updates instead of clicking cancel eh?" You know why she is said that? Take a guess as to why ...
-KF
I do like how aggressive Apple is about pushing fixes through software update.