toggle

AAPL Stock: 497.67 ( -11.79 )

New security vulnerability threatens Tiger

updated 03:20 pm EDT, Thu May 12, 2005

Tiger/QT exploit


A security vulnerability in Mac OS X 10.4 Tiger allows a malicious .mov file to . The exploit, which was discovered by David Remahl in Sweden, takes advantage "compositions," which have access to powerful tools known as "patches." Combining patches that provide advanced system information with patches that load information from the Internet allows an embedded .mov file to leak system details. A temporary workaround includes disabling the QuickTime plug-in and treating Quartz Composer files with suspicion. An alternative workaround involves disabling QTZ support in QuickTime by removing QuartzComposer.rcomponent in the QuickTime section of the system Library.

Leaked information:

  • Local user name (long and short)
  • Computer name
  • Local IP
  • OS / kernel version
  • CPU / RAM / GPU configuration
  • Names (human-readable) of Bonjour services on the local network
  • Local or system time
  • Volume of audio input
  • Lists of images (including pdfs) matching arbitrary spotlight queries
  • Lists of images (including pdfs) in specific directories (relative to / or ~)
  • The existence of image and movie files can indicate the existance of certain software packages


    by MacNN Staff

    print
    email
    (19)

    TAGS :

     troubleshooting

    Related Articles

    Recent Articles

    • toggle

    Comments

    1. jenmarsh

      Fresh-Faced Recruit

      Joined: Oct 2003

      0
      05/12, 03:50pm | report spam | Reply |

      Another exploit please!

      Unlike the Dashboard vulnerability, this ones seems a bit more concerning. However, I am once again confident Apple will patch this very fast. They have always been quick to respond, and I doubt this will be any different.

      Everytime I see one of these exploits, I think of hearing on the news about a critical Windows XP update that Microsoft released for an exploit that was found six months prior to the fix.

      No OS is going to be perfect but at least Apple seems to always be on their toes with Security patches and updates.

    1. van rijn

      Fresh-Faced Recruit

      Joined: Sep 2002

      0
      05/12, 03:51pm | report spam | Reply |

      its beginning...

      to look a lot like windows with all this security ca ca going on

    1. Grrr

      Grizzled Veteran

      Joined: Jun 2001

      0
      05/12, 03:59pm | report spam | Reply |

      Well done..

      Another security alert that needn't have been announced in such a way that it pretty much tells unscrupulous people who were not previously aware of it, exactly how to do it!

    1. dave a

      Fresh-Faced Recruit

      Joined: Jan 2002

      0
      05/12, 04:08pm | report spam | Reply |

      agreed

      They could have been a little less clear on the details, all right.

    1. :dragonflypro:

      Senior User

      Joined: Sep 2003

      0
      05/12, 04:37pm | report spam | Reply |

      But is it fatal

      The info is leaked, yes. That isn't good.

      But, it is fairly innocuous info… it isn't like an apple script co-opting Mail and spamming the 'verse.

      Here is hoping it is still addressed in short order.

      OS X security flaw = Headlines WIn Security flaws = Little Notice

      T

    1. technohedz

      Fresh-Faced Recruit

      Joined: Jul 2000

      0
      05/12, 04:38pm | report spam | Reply |

      show and tell

      What's with show and tell. If I find a security issue I call apple and tell them. I also log it with apple's bug reporting. That's at the very least. I don't post anything about it in public for a good 2 weeks. Making a website to demo something, like the widget one, or this kind of report is negligent. If you tell people how to circumvent the security of a system and they do it you are responsible for it, regardless of how we define 'responsible'. In short, this kind of stuff (that almost seems orchestrated) will make the people doing wish that I had never been born if they come face to face with me.

    1. technohedz

      Fresh-Faced Recruit

      Joined: Jul 2000

      0
      05/12, 04:39pm | report spam | Reply |

      isn't fatal??

      Leaked username and password might be considered fatal to some.

    1. crevatis

      Fresh-Faced Recruit

      Joined: Feb 2005

      0
      05/12, 04:49pm | report spam | Reply |

      Re: isn't fatal??

      Where is there any mention of a leaked password?

    1. tomas316

      Fresh-Faced Recruit

      Joined: Jan 2002

      0
      05/12, 04:53pm | report spam | Reply |

      RE:isn't fatal??

      Crevatis is right, no mention of passwords anywhere...

    1. Impatient1

      Fresh-Faced Recruit

      Joined: Oct 2002

      0
      05/12, 04:55pm | report spam | Reply |

      isn't fatal??

      No mention of leaked password at all. It provides basic information about the computer and various user accounts to someone who may be interested in breaking into it. That information would make it easier (than blindly guessing) to target the machine for a break-in but it would still require more effort.

    Show More Comments

    Login Here

    Not a member of the MacNN forums? Register now for free.

     
    close
    Photo
    toggle

    Network Headlines

    toggle

    Most Popular

    10 Most Read

    Recent Reviews

    Today Test Monady's's'sdfgdfg'sdffd'dfgd'

    Today Test Monady Today Test Monady ...

    wwwwwwwww

    dfgdfghdfghfghftytryrtytytrytry ...

    Flip Ultra HD 2010

    Design and the new FlipPort You'd be forgiven for thinking the Ultra HD has gone unchanged on the outside. In many ways, it has; i ...

    toggle

    Most Commented

    10 Most Discussed

     

    Popular News