Trilight Zone Forum Index Trilight Zone
Privacy & Anonymity is our speciality !
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Apple Flaw Project Odds and Ends

 
Post new topic   Reply to topic    Trilight Zone Forum Index -> Other OS
Author Message
tricore
Guest
PostPosted: Mon Jan 08, 2007 5:04 pm    Post subject: Apple Flaw Project Odds and Ends Reply with quote
An official patch from VideoLAN, hidden taunts and heated verbal punditry.

I'm trying my best to keep pace with the fast-moving Apple bug-a-day stuff, which has provided fodder for an intense debate on the hackers' motives and vulnerability disclosure tactics.

Here we go:

*** The VideoLAN team is fast out of the gates with an official patch for the VLC Player vulnerability (MoAB #2). Kevin Finisterre is prominently credited.

*** There's a detailed FAQ from Landon Fuller for his patch-a-day project. There's also an MoAB Fixes group set up to discuss technical and coding issues, with 48 members and counting.

*** MoAB #3 is a variation of the QuickTime issue that led to the recent MySpace phishing attack. It was discovered by Aviv Raff, who showed that it could be used in a cross-zone scripting attack in combination with other vulnerabilities to remotely execute arbitrary code on the user's machine. Interestingly, Raff worked closely with Fuller with the unofficial patch.

*** The Jan. 4 bug is a format string vulnerability in the way Apple's iPhoto supports photocasting. The MoAB Fixes crew followed swiftly with their patch.

PUNDITRY

As expected, the pundits are heating up the blogosphere with reactions to the project. A small sample:

Robert Graham from Errata Security takes aim at Apple:

Ethical handling of a vulnerability is a two-way street, requiring good behavior on both the researcher and the vulnerable vendor. Apple is not an ethical company - it's not just the Black Hat incident, but a track record going back several years. We've got more Apple bugs in the works. We are going to release them directly to the community (with maybe a pre-release to Landon Fuller) without giving Apple's PR machine enough time to attack us.

Matasano's Thomas Ptacek strongly disagrees:

"...denial and hubris" about Apple security is not a problem that we need HD Moore to correct. Here's a problem that we do need to correct: It takes Apple longer to release patches for findings than many other vendors. A year is not unheard of. Now, explain to me how a month of "get root from localhost nobody" scare-advisories is going to solve that problem?

Gartner analyst Rich Mogull writes on Securosis:

Apple, or any vendor for that matter, that doesn't respond well to reported vulnerabilities isn't about to change their practices due to ending up in the crosshairs of a lone gunman, whatever his or her intentions... Releasing code without reporting it to the vendor does little more than garner attention and place end users at risk. I highly doubt it will change any vendor's patching policies."

Tenable's Marcus Ranum on what he calls vulnerability pimps:

I personally believe that the hordes of "security researchers" that are constantly searching for new bugs are largely a wasteful drain on the security community. The economy of "vulnerability disclosure," in which credit is claimed in return for discovering and announcing bugs, has had a tremendous negative impact on many vendors' development cycles and product release cycles.

Dave Aitel, over IM, on why security researchers are criticizing the MoAB project:

Months of bugs annoys research companies because it entirely drowns out the publicity impact from you and your one vulnerability...Apple needs to sponsor a few parties and take a friendlier approach to people who do work for free.

HIDDEN MoAB TAUNTS

Scattered throughout LMH and Kevin Finisterre's bug-a-month advisories are hidden taunts aimed at Mac fanatics and critical pundits.

Some of the more obvious ones:

There's a red and white image of what looks like a kitchen appliance on MoAB #1. The file name and element properties say it all: Oh my gosh, an Apple Peeler!

The alert ends with the tagline: You're the PC now, Mac (YTPNM).

MoAB #2 includes the FBI sketch of the Unabomber, with the alternate text: I hear your plea.

It also contains several quotes from the infamous Unabomber Manifesto, including this one aimed squarely at others in the hacking/security research who have criticized the project: 1. (Paragraph 19) We are asserting that ALL, or even most, bullies and ruthless competitors suffer from feelings of inferiority.

Hidden in the .mov proof-of-concept in MoAB #3 is a taunt aimed at Matasano's Ptacek.

The alternate text attribute in the image on the fourth alert pokes fun at Apple's PR and marketing team.
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Trilight Zone Forum Index -> Other OS All times are GMT
Page 1 of 1

 


Powered by phpBB © 2001, 2005 phpBB Group