a Security Update forthcoming from Apple. While Apple hasn't always been fast at releasing some updates, they will probably address this "bug" soon enough.

I generally publish stuff like this to apple's beg reporter. That way it gets fixed. All this does is give those who would actually do something malicious the methods to do so.

Why do I take this stance? Well it's simple. People who use exploits on the general public are idiots. They do not have the ability to find actual security flaws and exploit them. They require someone else to find them, publish them and they then follow directions.

I'll stick to being constructive instead of being an egomaniacal a**.

The real exploitation here is LHM. LHM seeks to exploit the media in order to gain his fifteen minutes of fame. Whether LHM wants to prove that he is L33t and pwnz u or wants to get someone's attention so that they will give him a job or some other goal, it is still plain and simple exploitation of the media.

It would be interesting to find out if any of the things that LHM will tell us about over the next 29 days are actually orginal. I suspect not.

In the end, as sixcolors has already pointed out, mature software engineers report bugs and security issue through established bug reporting systems so that the bugs can get fixed. Children and those with ego issues do other things.

Enjoy the spotlight LHM. I hope you find what you're really looking for.

Smittie

This guy shouldn't be called a security analyst. Real analysts use their names.

Someone smarter than me needs to look into this further but it appears to be that LHM's first security issue is either known by Apple or has already been fixed. The following quote is from this page on Apple's support site:

"QuickTime Streaming Server

CVE-ID: CVE-2006-1456

Available for: Mac OS X Server v10.3.9, Mac OS X Server v10.4.6

Impact: Maliciously-crafted RTSP requests may lead to crashes or arbitrary code execution

Description: By carefully crafting an RTSP request, an attacker may be able to trigger a buffer overflow during message logging. This may lead to the arbitrary code execution with the privileges of the QuickTime Streaming Server. This update adresses the issue by properly handling the boundary conditions. Credit to the Mu Security research team for reporting this issue."

Is this not the same issue that LHM claims to be reporting??

Sorry. The url didn't post. It is:

http://docs.info.apple.com/article.html?artnum=303737

Smittie

I suppose the unique aspect that LHM is reporting is that the rtsp request affects not only QTSS but QuickTime client as well.

I can't wait to see what's next.

Actually ther 'bug' is that I watched a movie of this 'analyst's' mother in Quictime and it made me smash my face through my monitor in horror, thus rendering the entire computer useless. It's way more serious than he leads you to believe!

There's already a fix for it available at http://www.unsanity.org/archives/mac_os_x/the_month_of_trolly_trolls_and.php