Month of VersionTracker Bugs

Thomas Ptacek | January 3rd, 2007 | Filed Under: Apple, New Findings, Uncategorized

The “Month of Apple Bugs” kicks off to predictable press interest. And I’m done being diplomatic about these “Month of XXX Bugs” (MOXB?) things.

HD Moore to Dark Reading: “[A MOXB scheme] seems to be the answer to a ton of denial and hubris about whether Apple products are more secure than any other vendor.” It’s hard to criticise HD; he’s both nicer and smarter than me. But, here goes: “denial and hubris” about Apple security is not a problem that we need HD Moore to correct.

Here’s a problem that we do need to correct: it takes Apple longer to release patches for findings than many other vendors. A year is not unheard of. Now, explain to me how a month of “get root from localhost nobody” scare-advisories is going to solve that problem?

Apparently, MOAB ringleader LMH presumes his findings are more important than everyone else’s. Here’s a response: now that he’s committed to posting exploits for all his findings, we can be pretty sure that we’re looking at a month of clientside userland overflows, format string flaws, and temp file races.

Consider today’s MOAB release: a format string attack in VLC. Yes, if you download movies from BitTorrent, you might be playing them with VLC, and I guess you should go download whatever context diff patch the videolan.org people provide. What’s next? Trolling for bad zlib versions on VersionTracker? And so I ask again: how is this helping people? Did the VideoLAN team show too much “hubris” to LMH and KF? Was it really too hard for them to simply find the broken vsnprintf (again: VLC is open source) and publish a patch along with the advisory?

There are arguments to be made in favor of publishing exploits. There are arguments for going public with a finding immediately. What’s the argument for a bug-a-day release schedule?

Here’s Dave Maynor on the first MOAB finding, a genuinely bad QuickTime flaw: “This is one of the most dangerous bugs in Apple I have ever seen.” Unintentionally revealing? Presumably that includes LMH’s “DMG remote kernel hole”, and his own MacIntel wireless finding from Black Hat, both of which apparently rate at-or-below a clientside stack overflow in a video player.

Both Maynor and LMH allude to “debate” over Apple findings. Maynor knows how to end the “debate” over the wireless bug he and Johnny Cache found: he can publish details. Until he does, he should stop complaining about a “debate” he labored to cultivate. As for LMH, people debate his findings because he made one up. When did that stop being a big deal? And finally, as for the first two MOAB findings: there hasn’t been time for a “debate” about the bugs themselves. I’ll be surprised if there is one. Nobody’s going to debate that there are memory bugs in Apple client software and stuff you pull off VersionTracker; we’ll only debate why we’re supposed to be impressed by them.

Viewing 34 Comments

    • ^
    • v
    I guess I've a more basic question - what does a VLC bug have to do with a supposed Month of Apple bugs?
    • ^
    • v
    Somebody recently said that the only way to be Punk in LA anymore is to go to a big party and exclaim, "Say what you want about George W. Bush, but he's a really smart guy!"

    Maybe the MOXB meme has made the only way to be Punk in Vuln. Discovery is to fix them.
    • ^
    • v
    When I first encountered this bug I was unable to reproduce it on Win32 or Linux. I tested the vlc package for debian / ubuntu 0.8.4.debian-1ubuntu6. I also tested the most recent download of the windows version with zero indication that there was an issue.

    Call me stupid... call me lame... thats all fine. It was a simple mistake on my part or perhaps something unique to my environment as I STILL can not trigger the issue.

    The original bug was found via the URL handler by inserting udp:// into a web browser on OSX. On win32 the udp:// handler was not registered and thus did NOT kick off the VLC player. During exploit development we found that using the browser caused some filtering to occur and we could not supply the return addresses we wanted. At that point we moved to the .m3u format.

    I have been told that rapidly and repeatedly double clicking a .m3u on Windows triggers the issue... sorry I missed that.

    So to answer your question.... it was the only platform I could reproduce the issue on. Also there was a small amount of hoopla in December over the new VLC player that supports .wmv files on OSX.

    Regards.
    -KF
    • ^
    • v
    Kevin, why didn't you FIX THE PROBLEM when you released the advisory?
    • ^
    • v
    You know how to get ahold of me Thomas... feel free to IM me any personal questions you have.

    But to answer your question... Rémi Denis-Courmont was already on the problem since we had discussed the issue. Also... in the DigitalMunition Advisory that you will see once I am done being DDOS'd points to http://trac.videolan.org/vlc/changeset/18481

    Someone else mentioned to me today that this bug was disclosed at security conf in europe in December... so feel free to ask that fellow why he didn't provide a patch, or even bother to notify VLC. Also feel free to ask anyone in the room during this talk why they did not take the time to do so either...
    • ^
    • v
    But you posted an advisory and an exploit for the problem. You're not a bystander.
    • ^
    • v
    "Here’s Dave Maynor on the first MOAB finding, a genuinely bad QuickTime flaw: “This is one of the most dangerous bugs in Apple I have ever seen.” Unintentionally revealing? Presumably that includes LMH’s “DMG remote kernel hole”, and his own MacIntel wireless finding from Black Hat, both of which apparently rate at-or-below a clientside stack overflow in a video player."

    I would think that the attack vector of someone web browsing and getting whacked is more serious than a wireless driver attack where you need to be within radio range of the victim. Remember VML and WMF? Compromise a popular web server and you get thousands of slaves.
    • ^
    • v
    I think this OS X bug, http://www.ciac.org/ciac/bulletins/o-138.shtml found by DaveG which allows remote admin privs is much worse than a QT client bug. Before the advisory was released I did some quick scanning and found a major university in the Boston area that had 400 machines vulnerable.
    • ^
    • v
    That's one explanation, but there's a reason Maynor's announcement got so much press coverage and the Quicktime finding isn't going to get any.

    That said: I'm being deliberately snarky because I'm irritated that Maynor is sticking up for MOAB.
    • ^
    • v
    "That said: I’m being deliberately snarky because I’m irritated that Maynor is sticking up for MOAB. "

    Really? I can't tell. LOL. :-)
    • ^
    • v
    "That’s one explanation, but there’s a reason Maynor’s announcement got so much press coverage and the Quicktime finding isn’t going to get any.

    That said: I’m being deliberately snarky because I’m irritated that Maynor is sticking up for MOAB."

    Sounds to me like someone is upset they haven't been in the press lately, and their thunder is being taken from them. :)
    • ^
    • v
    there is a big difference between MoBB and MoAB/MoKB. I doubt LMH is getting several rounds of beers and respect for this from Apple like hdm got from Microsoft.

    plus, I don't see this as full-disclosure at all. somebody please explain to me how this doesn't encourage the hoarding and delaying of vulnerabilities? if anything, this severely lengthens the vulnerability and exploit lifetimes, which is just as counter-productive as Apple's lack of response.
    • ^
    • v
    Great post. While the apple bug is serious, it is not the most serious and there we have Maynor over blowing and creating FUD about an issue. Seems to be par for the course is it not?

    I think the only real value in these MOXB campaigns is that it does give the vendor a kick in the ass to perhaps start dealing with security in a more realistic and responsive manner. Too bad there is yet to be any evidence that it actually does this.
    • ^
    • v
    I am still failing to understand what VLC has to do with Apple and what apple developers are supposed to do about it. I dont use OSX, does VLC come bundled with it? If not then why is that advisory part of the MOAB? I thought MOAB was in response to slow apple patch times? I understand the quicktime bug, apple can do something about it. But please someone explain the reasoning for the VLC bug. Also it appears to work in linux as well, but im too lazy to go beyond segmentation fault on this one.
    • ^
    • v
    Wow, Tom. You've really got your snark on today. I like it.

    The only thing I've concluded over this month's (abortive?) Bug cornucopia is that Kevin and LMH have figured out how to use a fuzzer. I am not sure what they are trying to prove, other than generate publicity for themselves.

    More to the point -- if the issue really is about fostering a "more concerned (security-wise) user-base" and "better practices from the management side of Apple" I'd like to know how this achieves those aims. LMH/KF say that "responsible disclosure" isn't an option because it would grant various parties, presumably Apple, "insane amounts of time" before things got fixed.

    A fair argument, but I don't buy it. I hate to be like Nick Naylor in "Thank You for Smoking," but where are the data? And what constitutes "insane" amounts of time? At least with eEye's "Upcoming Advisories" a "Zero-Day" tickers (which I like) you can see the elapsed time, and judge for yourself about whether the vendor is being reasonable or not.

    Honestly, when I hear an inflammatory statement like "insane amounts of time" you'd think that the party making the statement would substantiate it with facts. But they don't, probably because they can't. I am genuinely willing to have my mind changed, but until I see some data I regard this whole thing as 90% stunt, 10% altruism.
    • ^
    • v
    • ^
    • v
    Gotta love the drama.
    • ^
    • v
    Yes, I just read that too :-)

    Doesn't really surprise me. (Sorry Thomas, it's probably at least partly my fault that it's you that he's on about.)

    And like everyone else, I'm puzzled as to how a VLC bug gets classified as an "Apple" bug. Maybe it is only easily exploitable on OS X, but VLC doesn't come with OS X and it seems to me that people trying to play wmv files on OS X are much more likely to be running Flip4Mac.

    It does seem a shame that LMH and KF don't expend more effort on actually fixing the bugs rather than providing people with pre-written exploit code that could be used for nefarious purposes. Particularly as they aren't giving the vendor(s) any time to actually fix the problems before releasing their findings.

    Still, Brandon Fuller seems to be trying to provide fixes for things they find:

    http://landonf.bikemonkey.org/code/macosx/

    I contemplated doing that myself, but I'm not sure I have the necessary time. Maybe I'll have a go at one if I spot something I'm interested in, we'll see.
    • ^
    • v
    For some reason I wrote Brandon. Anyway, it's *Landon* Fuller, not Brandon. Apologies Landon.
    • ^
    • v
    @Steve:
    I don't think its FUD at all. I think its one of the more dangerous bugs I have seen for Apple because it is one of the first bugs I have seen that could actually be exploited by REAL malware. As shown with the MySpace worm a few weeks ago, malware authors are adept at quicktime vulnerabilities. It wouldn’t be too hard to build a script that determines your browser version and serves up an exploit for either Apple or Windows. To me that sounds like a little more than FUD…
    • ^
    • v
    I agree with Dave on that point, in case it seems from my post that I don't.
    • ^
    • v
    I have to disagree with David on that point. The QT Javascript thing is a bug in the browser, not QuickTime. The QT plugin just passes the javascript to the browser. The plugin is loading javascript from a remote site, the browser should recognize this. So the MySpace thing was exploiting the fact IE didn't check to see if ActiveX controls loaded resources out of the current domain.
    • ^
    • v
    Have you seen

    http://news.com.com/2100-1002_3-6147026.html

    I particularly enjoyed the quote from Dave Marcus (McAfee's "Security Research and Communications Manager"), where he says

    "These guys were superstars in computer security before they were doing the months of bugs. I think they honestly do it in the thought of serving the community."

    Presumably by releasing working exploit code so that spammers can enlarge their bot-nets, thereby easing the distribution of viruses and spam, both of which are things that are clearly in great public demand these days?

    (And why is there now a Windows-specific exploit on a Month of *Apple* Bugs? Especially if MoAB is there to "discourage smugness" amongst Mac users?)
    • ^
    • v
    @Rosyna
    How does your explanation in any way negate my point that malware authors are adept at turning these types of bugs into real malware? The Myspace worm example was given to show that 3rd party apps have been targeted by malware authors who make use of them. You must have jumped to the conclusion because I mentioned it I think they are the same type of bug, I don’t, but thank you for you very concise analysis of how it worked.
    • ^
    • v
    Alastair, I had forgotten that LMH is a superstar. Oops. The worst part about this "debate" is that it puts me in a situation where I appear to agree with Pete Lindstrom.
    • ^
    • v
    That is scary. Guess you better update your punditcon graphic ;-) And actually, while I still harbor my standard beliefs (and will be on a panel debating responsible disclosure at RSA), in this case I at least see some "value" in bursting the bubble that Mac addicts have about the security of their solution. Of course, if the bugfinders fail, it will add greater fuel to the fire.

    I of course defer to you and others to keep me honest on the likelihood that these guys will succeed technically and what that means to the never-really-answered "what platform is more secure?" debate.
    • ^
    • v
    I'm not sure I see the value in bursting the bubbles of Mac end-users. Is anyone really laboring under the misperception that the average Mac OR Windows users really understands the issues involved in computer security?

    The fact of the matter is, moving from Windows to Mac WILL reduce the gross number of hours you spend every year dealing with security issues on your computer, probably by a lot. That the reduction doesn't occur for the reasons John Gruber says it does is hardly relevant, at least not to my Mom.
    • ^
    • v
    I admit that there is a bit of spite in my opinion, likely in the same way bugfinders are sometimes finding bugs out of spite. In any case, there are smaller enterprises that are making O.S. choices based on security even though they *don't* understand the issues (perhaps IE vs. Firefox is slightly analogous here). To whatever extent there is an upswing in Mac adoption (not likely) it becomes a bit more important.

    I still think that root cause is still important - i.e. is this fact due to inherent properties of the O.S. or is it simply based on the level of attention that bugfinders give to a particular O.S. Else, it is a fishtailing target out of the control of the enterprise.
    • ^
    • v
    In this day in age we still argue about what is good and bad. Regardless of the fact that these people found the issue and are reporting it, there are 100 other people who find it and exploit it.

    I say stop the MOXB and let the hackers shows companies the holes. See how many people complain then. If the white hats and/or grey hats stopped reporting to companies, we would be very quickly a botnet contolled internet.

    These people who report are doing a service. Apple and others have been very slow in the past at patching and as of only recently begun to patch at a faster rate due to MOXB.

    What is nice about MOAB is that it has finally shut my friends up about Apple being safer than any other OS. They have always boasted that they will never be hacked. As of yesterday, my buddy found he was no longer in control of his machine. I laughed.

    No one vendor or OS is invulnerable. Everything has bugs. Not all can be fixed. But at least code check your software prior to release.
    • ^
    • v
    One of my big arguments against MOAB is that shutting your friends up about Apple security is not a particularly important goal, especially weighed against the costs of muddying the waters more on disclosure.

    The "nobody's invulnerable, everybody has bugs" argument is one of the most toxic in security. If you believe everyone's qualitatively the same, you wind up where Lindstrom did; we might as well stop finding bugs altogether.
    • ^
    • v
    Does anyones grandma or mom or friend for that matter refuse to install patches because they "change the way things look" or because they do not see the benefit of installing the patches when there is not such thing as mac malware or exploits, viruses and the like?

    Just currious.

    My mom infact recently sent me an email and said something along the lines of "So... I guess I should start getting used to installing updates instead of clicking cancel eh?" You know why she is said that? Take a guess as to why ...

    -KF
    • ^
    • v
    Ok I'm going to suggest that KF's Mom probably pays a little bit more attention to computer security than, say, my brother's mother-in-law, or 99.999% of other Mac users.

    I do like how aggressive Apple is about pushing fixes through software update.
    • ^
    • v
    Pretty darn soon there will be a waiting list for the Maynard & Crabs Security Dude Ranch what with all the MOXB crowd just waiting to get in. Sign up now and get a room with a view of no cattle and a complimentary genuine Stetson 15 gallon hat at no additional cost.
    • ^
    • v
    Ptacek (is it possible to even say that) you really need a hysterectomy.

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus