toggle

AAPL Stock: 126.44 ( -0.16 )

Printed from http://www.macnn.com

New security vulnerability threatens Tiger

updated 03:20 pm EDT, Thu May 12, 2005

Tiger/QT exploit

A security vulnerability in Mac OS X 10.4 Tiger allows a malicious .mov file to . The exploit, which was discovered by David Remahl in Sweden, takes advantage "compositions," which have access to powerful tools known as "patches." Combining patches that provide advanced system information with patches that load information from the Internet allows an embedded .mov file to leak system details. A temporary workaround includes disabling the QuickTime plug-in and treating Quartz Composer files with suspicion. An alternative workaround involves disabling QTZ support in QuickTime by removing QuartzComposer.rcomponent in the QuickTime section of the system Library.

Leaked information:

  • Local user name (long and short)
  • Computer name
  • Local IP
  • OS / kernel version
  • CPU / RAM / GPU configuration
  • Names (human-readable) of Bonjour services on the local network
  • Local or system time
  • Volume of audio input
  • Lists of images (including pdfs) matching arbitrary spotlight queries
  • Lists of images (including pdfs) in specific directories (relative to / or ~)
  • The existence of image and movie files can indicate the existance of certain software packages




    by MacNN Staff

    POST TOOLS:

    TAGS :

  • toggle

    Comments

    1. jenmarsh

      Joined: Dec 1969

      0

      Another exploit please!

      Unlike the Dashboard vulnerability, this ones seems a bit more concerning. However, I am once again confident Apple will patch this very fast. They have always been quick to respond, and I doubt this will be any different.

      Everytime I see one of these exploits, I think of hearing on the news about a critical Windows XP update that Microsoft released for an exploit that was found six months prior to the fix.

      No OS is going to be perfect but at least Apple seems to always be on their toes with Security patches and updates.

    1. van rijn

      Joined: Dec 1969

      0

      its beginning...

      to look a lot like windows with all this security ca ca going on

    1. Grrr

      Joined: Dec 1969

      0

      Well done..

      Another security alert that needn't have been announced in such a way that it pretty much tells unscrupulous people who were not previously aware of it, exactly how to do it!

    1. dave a

      Joined: Dec 1969

      0

      agreed

      They could have been a little less clear on the details, all right.

    1. :dragonflypro:

      Joined: Dec 1969

      0

      But is it fatal

      The info is leaked, yes. That isn't good.

      But, it is fairly innocuous info… it isn't like an apple script co-opting Mail and spamming the 'verse.

      Here is hoping it is still addressed in short order.

      OS X security flaw = Headlines WIn Security flaws = Little Notice

      T

    1. technohedz

      Joined: Dec 1969

      0

      show and tell

      What's with show and tell. If I find a security issue I call apple and tell them. I also log it with apple's bug reporting. That's at the very least. I don't post anything about it in public for a good 2 weeks. Making a website to demo something, like the widget one, or this kind of report is negligent. If you tell people how to circumvent the security of a system and they do it you are responsible for it, regardless of how we define 'responsible'. In short, this kind of stuff (that almost seems orchestrated) will make the people doing wish that I had never been born if they come face to face with me.

    1. technohedz

      Joined: Dec 1969

      0

      isn't fatal??

      Leaked username and password might be considered fatal to some.

    1. crevatis

      Joined: Dec 1969

      0

      Re: isn't fatal??

      Where is there any mention of a leaked password?

    1. tomas316

      Joined: Dec 1969

      0

      RE:isn't fatal??

      Crevatis is right, no mention of passwords anywhere...

    1. Impatient1

      Joined: Dec 1969

      0

      isn't fatal??

      No mention of leaked password at all. It provides basic information about the computer and various user accounts to someone who may be interested in breaking into it. That information would make it easier (than blindly guessing) to target the machine for a break-in but it would still require more effort.

    Login Here

    Not a member of the MacNN forums? Register now for free.

    toggle

    Network Headlines

    Follow us on Facebook

    toggle

    Most Popular

    Advertisement

    Recent Reviews

    Prong PWR Case

    Ultimately there's one thing we all want from smartphone accessories; we want options. When it comes to keeping our iPhone charged, w ...

    iHome iBT74 Color Changing Bluetooth Speaker

    There's no reason why your tech can't look good while doing what it was designed to do. That's the reason that sports cars look goo ...

    Logitech Gaming Daedalus Prime Mouse

    Logitech Gaming continues to expand upon its peripherals line, with each one looking to fit neatly into a breadth of gaming needs. Bui ...

    toggle

    Most Commented