CYBERSPACE — Security researcher Kevin Finisterre and his anonymous partner “LMH” kicked off their MOAB (“Month of Apple Bugs”) project yesterday by detailing a stack overflow error in Apple’s commonly-used QuickTime media player.“A vulnerability exists in the handling of the rtsp:// URL handler,” LMH stated in a post to his “Apple Fun” blog. “By supplying a specially crafted string… an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.”
“Exploitation of this issue is trivial,” LMH added in his summary of the flaw.
The French Security Incident Response Team (FrSIRT) has rated the flaw “Critical,” and suggests that QuickTime users disable Real Time Streaming Protocol (RTSP) support until an official patch for the bug has been supplied.
Dutch security firm Secunia concurred with FrSIRT’s assessment, terming the flaw “highly critical.” Secunia recommended that QuickTime users not open “untrusted QTL files” pending the release of an official patch.
Apple has not yet commented on the bug.
This is not LMH’s first “month of bugs” project; in November, the anonymous researcher/hacker conducted the “Month of Kernel Bugs.” Both appear to have been inspired by the “Month of Browser Bugs” conducted by MetaSploit.com last July.
The MOAB project was recently derided in a Mac Observer editorial as a “Month of Continuous Foolishness.” In the piece, Mac Observer’s John Martellaro takes umbrage with LMH’s bug reporting approach, which does not include prior notification to Apple’s security teams.
Martellaro opines that the MOAB project is “some kind of desire for notoriety,” and notes that “there are appropriate channels to handle these discoveries that are professional and protect everyone.”
On a FAQ published on the MOAB website, LMH states that his project does “rarely” notify vendors first, adding that “sometimes we may decide to pass an issue through the appropriate people.”
“The problem with so-called ‘responsible disclosure’ is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial,” the FAQ answer continues. “And the reward (automated responses and euphemism-heavy advisories) doesn’t pay off in the end.”
In his editorial criticizing the MOAB project, Martellaro asserts “the supposition that there are some people who take the security of Mac OS X more seriously than the BSD professionals and Apple engineers is stupendously arrogant and self-serving.”
For more information, check out the following:
Secunia’s security advisory: http://secunia.com/advisories/23540/
LMH’s “Apple Fun” blog: http://applefun.blogspot.com/
The MOAB website: http://projects.info-pull.com/moab/
