troubleshooting/tutorials/security
05/12/2005, 3:20pm, EDT
Thursday, May 12th
New security vulnerability threatens Tiger
A security vulnerability in Mac OS X 10.4 Tiger allows a malicious .mov file to leak information to an external host. The exploit, which was discovered by David Remahl in Sweden, takes advantage "compositions," which have access to powerful tools known as "patches." Combining patches that provide advanced system information with patches that load information from the Internet allows an embedded .mov file to leak system details. A temporary workaround includes disabling the QuickTime plug-in and treating Quartz Composer files with suspicion. An alternative workaround involves disabling QTZ support in QuickTime by removing QuartzComposer.rcomponent in the QuickTime section of the system Library.
Local user name (long and short)
Computer name
Local IP
OS / kernel version
CPU / RAM / GPU configuration
Names (human-readable) of Bonjour services on the local network
Local or system time
Volume of audio input
Lists of images (including pdfs) matching arbitrary spotlight queries
Lists of images (including pdfs) in specific directories (relative to / or ~)
The existence of image and movie files can indicate the existance of certain software packages
Leaked information:
Filed under: troubleshooting
, 
, 19
, 
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
Everytime I see one of these exploits, I think of hearing on the news about a critical Windows XP update that Microsoft released for an exploit that was found six months prior to the fix.
No OS is going to be perfect but at least Apple seems to always be on their toes with Security patches and updates.
But, it is fairly innocuous info… it isn't like an apple script co-opting Mail and spamming the 'verse.
Here is hoping it is still addressed in short order.
OS X security flaw = Headlines WIn Security flaws = Little Notice
T