Safari, Quicktime & ARD, Oh my.
There were several Apple-related vulnerabilities announced the other day:
- A vulnerability in Apple Remote Desktop
- Two Quicktime vulnerabilities
- A browser-related vulnerability, that, as it turns out, Safari is susceptible to.
I'm not going to spend a lot of time on the ARD vulnerability, as, well, I absolutely detest ARD quite thoroughly and it's been a long-running problem I've had with OS X which I'll go into another time.
But it's pretty serious, and if you have the ARD client installed or have to deal with it in other ways, you should be updating.
The Safari vulnerability is a more general browser vulnerability, and ironically enough, Windows with SP2 installed is immune, while many others aren't, including Safari and older versions of IE and Outlook.
The problem is basic: when you put the cursor over a link, you should see where that link is going to take you. Sometimes that is alt-text, and the browser will display where the link will take you in the status area; in Safari it's the thin gray bar at the bottom of the window that 95% of the time just wastes screen real estate (just as an aside, I like Omniweb's solution to this).
Basically, by wrapping the link in some table tags, you can give a false info to the user on where they will be taken to if they click the link. There is a demonstration of this available here at DrunkenBlog (modified from here), and you'll notice that if you hover over it you'll see drunkenblog.com, but you'll actually be taken to apple.com.
The real problem is that link could also be taking you to some horrific russian website (and there are other ways to disguise where you actually are, although they've been hammered out of the current IE for the most part) which quietly hacks your browser and installs things you don't want. Or, you get an email saying it's from Paypal. If you normally held your mouse over the link and it said paypal-us1-biz124054.somesite.com you'd have a reason to be suspicious, but if it says www.paypal.com/blah you have less reason to be.
Mac users are vulnerable to the latter form of phishing, as it's more social than anything. The first is, while possible, luckily something we don't really have to greatly worry about due to marketshare.
Yes, trusting the status bar might seem a little foolish when you consider it can be rewritten easily via Javascript. However, because this is just a creative use of HTML, this works even when Javascript is disabled, which lots of people and companies do with the belief that they've stopped this sort of thing.
The other thing I think its worth noting is just how weird Safari's behavior is compared to other browsers. The link actually goes to apple.com, while falsely showing drunkenblog.com in the status, and if you just click it the 'exploit' as such works. However, if you control-click and open the link in a new window or tab from the contextual menu, it goes to drunkenblog.com, the fake status information given to it, not the link specified in the HTML.
If you hold down command+option and then click, it opens apple.com in the new window. This is just freaking weird, and I am at a loss as to why it's happening, as it doesn't seem to be happening on the version of Konqueror I tested it on, which Safari originally shared a codebase with.
The fact that Safari is exhibiting this and Konqueror isn't, since they're both based on the same 'engine', brings to mind something else I'm watching and will get my drunk on with later.
These are pretty nasty vulnerabilities, even though they haven't gotten much talk around the Mac web. There are two vulnerabilities which have been announced.
One affecting Windows:
Available for: Microsoft Windows XP, Microsoft Windows 2000, Microsoft Windows ME and Microsoft Windows 98Impact: An integer overflow that may be exploitable in an HTML
environment.
And one affecting both Windows and Mac OS X:
Available for: Mac OS X v10.3.x, Mac OS X Server v10.3.x, Mac OS X v10.2.8, Mac OS X Server v10.2.8, Microsoft Windows XP, Microsoft Windows 2000, Microsoft Windows ME and Microsoft Windows 98Impact: A heap buffer overflow could allow attackers to execute
arbitrary code.
The one targeting Windows is pretty rough, and I don't even want to consider trying to explain what a buffer exploit is or how it works. It's just not something that fits neatly into analogies, and anything that's coming to mind is going to result in too many emails.
Basically, when you are using a procedural language like C or C++, you sort of have to tell it what to expect in terms of what is going to be thrown at it. If the programmer isn't careful about laying down some boundaries on what can come in, the code can barf out the excess as code which gets run on the host system.
So what this exploit means is you can feed Quicktime malformed HTML, which causes it to barf, and that barf ends up being run on the users system. Often that barf is malicious in nature, and allows someone to do things on your computer you don't want them to. This is nasty, but only affects Windows. Lucky them.
The other affects both of them, and again has to do with a buffer overflow, this time in decoding .BMP images. Yes, this is basically the same as the older vulnerabilities Microsoft got smacked with: view a malformed image, compromise your system.
This one isn't even close to funny, although again Mac users are saved because of the small marketshare. While both Mac and Windows users are susceptible to getting attacked, the code to actually drop something malicious in through it wouldn't be. It's also been fixed in the security update released last month, so I'd hope you'd have it installed.
The Quicktime vulnerabilities have really been on my mind for the last several days, as they aren't the first and I'm almost positive they won't be the last. Something Mac users haven't paid a lot of attention to is that while I still would go out of my way to not use IE on Windows, Microsoft has made some enormous strides towards closing out the obvious holes in the last service pack, and I'd have to imagine this is going to continue in the future.
If they hadn't turned of ActiveX by default, I wouldn't be saying this; but I think they've realized it's hurting their competitiveness and starting to ship it with sane defaults, even at the cost of functionality and backwards compatibility. Outlook and IE have gone through the absolute ringer on exploits, and a lot of the low-hanging fruit has been picked with those safe defaults in place.
But Microsoft is still the massive platform, and as such is going to attract the parasites. With the low-hanging fruit gone, it's still worth someone's while to get out the foot stool, and I'm starting to get the feeling that the next branch up is going to have Quicktime hanging there.
And Quicktime is probably remarkably ripe for the picking, all things considered. It's made inroads into getting onto more Windows systems, and perhaps more importantly it's made inroads into more people actually using it as default for their Windows systems via iTunes and soon iPhoto.
Quicktime is helpful in suggesting you have it default for all the files it can open, but a ton of Windows users usually did everything they could to keep it from doing so: because Quicktime for Windows really, really sucked compared to the competition. They'd use it to watch the Star Wars trailer, then delete it or just let it sit there in an unused directory.
This usually pisses off Mac people when I say this, but you have to remember, Quicktime is a bit of a foreign intruder on Windows systems both in terms of interface and in terms of code base. It was considered to be bloated in terms of memory usage, and slow in terms of performance, and buggy as something could be. It didn't help that the damn thing asked you to pay $20 for the privilege of viewing something full-screen.
And yes, I said interface. Know how you can use an app on the Mac, and it just obviously doesn't feel like it was made for the Mac? It doesn't follow Mac-interface conventions (yes, conventions, not standards) and it just feels wrong and out of place and you'd much rather use something that feels 'native', all things considered. Hell, a couple of those versions of Quicktime for the Mac felt like that (burn in hell, volume knob). That, historically, has been Quicktime for Windows.
They've made big strides as of late, and iTunes, while out of place and a little odd, actually goes a long way towards trying to feel like a Windows app. They did some homework, and it paid off. Quicktime has gotten better in terms of performance, but while still considered to be a hog, machines have made it not the issue it once was. They've squeezed out a lot of the bugginess, and with the advent of things like iTunes, etc., more people are installing Quicktime and actually leaving it on the system in a default way.
But this is problematic, because at the end of the day, Quicktime is a technology that is almost fifteen years old. Originally released in 1991, it's never really had a big rewrite. And it's worth noting that you have to separate the Quicktime file format from Quicktime itself. The file format is just, well, a file format; a container for data and not a big deal.
But where things can get a little tripped up is most people think of Quicktime as the player that loads when they open a movie. Quicktime is a little larger than that, think of it as two subsystems for image and time-based data that developers can access through APIs. The Quicktime Player just ties into those APIs, as do applications like Preview, and those subsystems are creaky.
Remember, Cinepak came out in 1992. If you remember what using Cinepak was like compared to now, you can get a grasp of where the technology was. In 1993 Quicktime got the "Power Plug" which was a component you could install to increase the performance on PowerPC systems, then in 1998 it could display graphics like JPEG an TIFF, and in 1999 it could output them. By 2000, the player could finally be controlled via AppleScript and in 2002 it was ported to Mac OS X, and with Mac OS 10.3 it made some headway into becoming multi-threaded.
And yes, I said ported... Quicktime has gone past being a library of functionality, and at this point, especially with it's ties to Carbon and Windows, could be considered to be an application platform all it's own. A very creaky, very unmodern platform originally designed in the days of System 7 and layered with the gunk of time and bolted on features and all written in a programming language that isn't very forgiving of a lax programmer.
This may well turn out to not be an issue going forward, but experience tells us malware and hackers take the path of least resistance, just like water. With the browser being nailed down in a big way, they're going to be turning their exploitive eyes more towards the next layer they can interact with.
This isn't something I'm too worried about as a Mac user, because even if there's one fish in the pond it doesn't mean it's worth your time to go fishing. But if there are 10,000, well... this could get messy.
Posted by drunkenbatmanNovember 04, 2004, at 02:44 AM
Comments (7)
Posted by: drunkenbatman at November 4, 2004 04:25 AM
I accidently typed that into the proof of concept as, well, I was banging it out at 3am. I've fixed the blurb, if you try it with Safari or OmniWeb it'll work.
FireFox isn't immune, but it is to the HTML I posted to the link. With a little fudging of where the tags are placed you can get it to happen in FireFox also.
Posted by: at November 4, 2004 06:37 AM
I can confirm it works in Safari. I see drunken blog but it goes to apple. on the other link i see microsoft but it goes to google
..>>..
Posted by: TJakab at November 4, 2004 10:36 AM
I think part of the problem with Quicktime performance and security is the fact that the codebase has never been updated. I spoke with some folks at WWDC this year who said it's basically the same Pascal code with Carbon wrappers and some Cocoa wrappers on top of it.
I get the feeling that CoreImage and CoreVideo in Tiger are the start of modernizing Quicktime or replacing it with something better.
Posted by: JJ at November 4, 2004 02:08 PM
It seems that Safari 1.3 Developer Preview is immune to the safari vulnerability.. I just wonder why it has not been released, it has been around since summer..
Posted by: Eddie Hargreaves at November 4, 2004 02:27 PM
iPhoto for Windows? I guess you didn't know that Apple has not created iPhoto for Windows and said they weren't going to. The iPod Photo uses Photoshop Elements, Album and/or the My Pictures folder.
Posted by: Cap'n Hector at November 8, 2004 11:49 PM
That exploit is interesting…on my system (10.4/Safari 2) the "outer" area of the link hovers to Drunkenblog.com and the inner area hovers to Apple.com.
Clicking where Drunkenblog.com hovers takes me there…Apple.com hover takes me to Apple.com.
Firefox seems to be immune. Your test hovers 'apple.com' and the original hovers to 'google.com'. Both links also take me to the hovered location. Did I misunderstand something or is Firefox not effected?