If at first you don't succeed; call it version 1.0
Friday, January 05, 2007

As I’ve already mentioned in the third "Month of Apple Bugs" advisory, the QuickTime HREFTrack feature, which was exploited in the last MySpace worm, is vulnerable to cross-zone scripting attacks.
Landon Fuller, who have decided to publish fixes for the bugs disclosed in the "Month of Apple Bugs", has provided a fix for this vulnerability a few hours after it was published.
This fix, which blocked referencing the javascript protocol handler in the HREFTrack attribute, was aimed to fix the cross-site scripting vulnerability. Again, this specific vulnerability was previously disclosed by pdp, and was exploited in the MySpace worm. This is a different vulnerability, and although this fix was better than the fix apple provided (which probably only prevented the MySpace worm), it didn’t fix the vulnerability I disclosed in MoAB #3.

Today, after exchanging mails with Landon Fuller, he published a new version of this fix. This time, instead of black-listing the javascript protocol handler, he white-listed only the protocol handlers that were supposed to be referenced in the HREFTrack attribute (http, https and ftp).

This updated fix, although it seems to be only for Macintosh users, should prevent exploitation of this issue on that platform. Good job Landon!
We’ll now have to wait for an official cross-platform fix from Apple, or maybe a cross-platform “Month of Apple Fixes” initiative.

P.S.
This fix patches the rNPN_GetURL() function. If this patch is global for both the QuickTime plug-in and the QuickTime player, it should also prevent exploitation of the .qtl cross-zone scripting vulnerability that was also previously disclosed by pdp.


Friday, January 05, 2007 10:02:51 AM UTC | Comments [5] | Security#
Friday, January 05, 2007 3:17:58 PM UTC
Regarding your "Month of Apple Bugs" project: I think your project is little more than an attempt at calling attention to yourself, and here's why.

First, you call it a "Month of Apple Bugs" but your second bug has ABSOLUTELY NOTHING to do with Apple. They didn't code VLC, they don't bundle VLC, they don't support VLC. It's an entirely third-party application, and in fact the bug that you point out ALSO affects Windows PCs. Calling this an "Apple Bug" is quite a stretch of the imagination. If you wanted to be accurate, why didn't you just call your list "Month of Apple and Third-Party Software Bugs"? Answer: Because you didn't want to be accurate. You wanted to go for the impact of calling them *APPLE* bugs when they aren't all Apple bugs at all. That's like saying Toyota is responsible for all of the design flaws in Ford products, all with a straight face.

Second, you are clearly not doing this as any sort of "public service" but rather just to revel in your own imagined cleverness. If this were a real "public service" then you would ALSO point out when the bugs were fixed. For example, the VLC Media Player bug you pointed out was fixed within mere hours after you posted it -- but you make absolutely no effort to inform the public of this, preferring instead to revel in the imagined glory that you believe your list reflects upon you. To me, your list doesn't say "here are the bugs I've found and how to fix them" but rather "here are the bugs I've found, aren't I so gosh darned clever?".

Your "MoAB" list is interesting reading, and no doubt has the potential to bring about some positive change. But its effectiveness as a research or "alert" tool is overwhelmed by your obvious and demonstrable bias in how you've presented things and the "rules" you've laid out.
The Voice of Fairness
Sunday, January 07, 2007 8:53:19 PM UTC
OMG another hysterical fanboy
Wednesday, January 10, 2007 6:47:33 PM UTC
Why is it that whenever someone points out logical flaws in an argument, that person is instantly and irrationally described as a "hysterical fanboy"? I mean, my post is rational and intelligent based on observations seen thus far. Yours is just a third grade accusation based on absolutely nothing. In short: I'm talking through my mind and I'm a "fanboy", while you're talking out of your ass. By my estimation, that would make you a piece of shit.

If you have anything intelligent to rebut my previous post, I'd like to hear it. So far this "Month of Apple Bugs" is little more than a ploy to get people to pay attention to you.
The Voice of Fairness
Friday, July 13, 2007 1:01:34 PM UTC
The fix for this problem has actually broken a significant element of legitimate functionality in QuitkTime. We've been using javascript: urls in HREFTracks for many years to synchronise slides with quicktime videos. Apples own tutorial (on http://www.apple.com/quicktime/tutorials/hreftracks.html) continues to say that javascript is allowed in HREFTracks, even though the fix for this bug has blocked it.

From a purely selfish point of view, this 'bug fix' has broken the QuickTime mode for about 80% of the video content on our website, so i've had to tell our users not to upgrade beyond 7.1.4 until the issue is addressed.

Windows Media Player and Real Player both allow javascript calls from within their event mechanisms without any aparaent security issues, so I fail to see why an effective way of doing this in QuickTime can't be found too.

What is needed is not a block on javascript: calls in HREFTracks, but a restriction so that they can only execute code within the context of the page the QuickTime movie is embedded in. I've posted this to the apple forums (on http://discussions.apple.com/thread.jspa?messageID=4814495#4814495) but nobody from apple seems to be interested in sorting this out, in spite of the fact that they've broken a published feature of Quicktime from their own tutorials. I'm posting here in the hope that as the originator of the bug, somebody might finally notice the problem this has caused and do something about it.
Sunday, October 21, 2007 3:11:45 PM UTC
It's a really good idea, still I don't think they're gonna be impressed by 50 emails in the same day, what we should do is raise media awareness, that way we'll really get their attention.
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.