toggle

AAPL Stock: 100.57 ( + 0.04 )

Printed from http://www.macnn.com

New security vulnerability threatens Tiger

updated 03:20 pm EDT, Thu May 12, 2005

Tiger/QT exploit

A security vulnerability in Mac OS X 10.4 Tiger allows a malicious .mov file to . The exploit, which was discovered by David Remahl in Sweden, takes advantage "compositions," which have access to powerful tools known as "patches." Combining patches that provide advanced system information with patches that load information from the Internet allows an embedded .mov file to leak system details. A temporary workaround includes disabling the QuickTime plug-in and treating Quartz Composer files with suspicion. An alternative workaround involves disabling QTZ support in QuickTime by removing QuartzComposer.rcomponent in the QuickTime section of the system Library.

Leaked information:

  • Local user name (long and short)
  • Computer name
  • Local IP
  • OS / kernel version
  • CPU / RAM / GPU configuration
  • Names (human-readable) of Bonjour services on the local network
  • Local or system time
  • Volume of audio input
  • Lists of images (including pdfs) matching arbitrary spotlight queries
  • Lists of images (including pdfs) in specific directories (relative to / or ~)
  • The existence of image and movie files can indicate the existance of certain software packages




    by MacNN Staff

    POST TOOLS:

    TAGS :

  • toggle

    Comments

    1. jenmarsh

      Joined: Dec 1969

      0

      Another exploit please!

      Unlike the Dashboard vulnerability, this ones seems a bit more concerning. However, I am once again confident Apple will patch this very fast. They have always been quick to respond, and I doubt this will be any different.

      Everytime I see one of these exploits, I think of hearing on the news about a critical Windows XP update that Microsoft released for an exploit that was found six months prior to the fix.

      No OS is going to be perfect but at least Apple seems to always be on their toes with Security patches and updates.

    1. van rijn

      Joined: Dec 1969

      0

      its beginning...

      to look a lot like windows with all this security ca ca going on

    1. Grrr

      Joined: Dec 1969

      0

      Well done..

      Another security alert that needn't have been announced in such a way that it pretty much tells unscrupulous people who were not previously aware of it, exactly how to do it!

    1. dave a

      Joined: Dec 1969

      0

      agreed

      They could have been a little less clear on the details, all right.

    1. :dragonflypro:

      Joined: Dec 1969

      0

      But is it fatal

      The info is leaked, yes. That isn't good.

      But, it is fairly innocuous info… it isn't like an apple script co-opting Mail and spamming the 'verse.

      Here is hoping it is still addressed in short order.

      OS X security flaw = Headlines WIn Security flaws = Little Notice

      T

    1. technohedz

      Joined: Dec 1969

      0

      show and tell

      What's with show and tell. If I find a security issue I call apple and tell them. I also log it with apple's bug reporting. That's at the very least. I don't post anything about it in public for a good 2 weeks. Making a website to demo something, like the widget one, or this kind of report is negligent. If you tell people how to circumvent the security of a system and they do it you are responsible for it, regardless of how we define 'responsible'. In short, this kind of stuff (that almost seems orchestrated) will make the people doing wish that I had never been born if they come face to face with me.

    1. technohedz

      Joined: Dec 1969

      0

      isn't fatal??

      Leaked username and password might be considered fatal to some.

    1. crevatis

      Joined: Dec 1969

      0

      Re: isn't fatal??

      Where is there any mention of a leaked password?

    1. tomas316

      Joined: Dec 1969

      0

      RE:isn't fatal??

      Crevatis is right, no mention of passwords anywhere...

    1. Impatient1

      Joined: Dec 1969

      0

      isn't fatal??

      No mention of leaked password at all. It provides basic information about the computer and various user accounts to someone who may be interested in breaking into it. That information would make it easier (than blindly guessing) to target the machine for a break-in but it would still require more effort.

    Login Here

    Not a member of the MacNN forums? Register now for free.

    toggle

    Network Headlines

    toggle

    Most Popular

    MacNN Sponsor

    Recent Reviews

    Life n Soul 8 Driver Bluetooth headphones

    When it comes to music on the go, consumers generally have some options to consider when looking for the best experience. While Blueto ...

    Pure Jongo T2 wireless speaker

    Multi-room audio compatibility is a key metric for wireless sound systems these days. The entry cost into a house-spanning system can ...

    Logitech Z213 multimedia speakers

    Desktop computer speakers sit in a weird area of limbo: many consumers have forgone the era of desktop listening for the privacy and v ...

    toggle

    Most Commented