Zero Day Exploit For QuickTime Flaw

InformationWeek is reporting that an Italian security researcher has posted a exploit for a zero-day vulnerability in QuickTime 7.3.1 that impacts both OS X and Windows versions of the software. This exploit will allow an attacker to execute malicious code on the target system.

The “researcher”, Luigi Auriemma, describes the exploit as being based on a flaw in QuickTime’s parsing of HTTP error messages and has not provided Apple with advance notice before publishing the proof-of-concept code. Symantec has confirmed that the flaw can produce a Denial of Service, but has not confirmed the remote code execution claim.
As of this post, Apple has not posted a fix to this issue, but here are some steps you can take to protect yourself (via US-CERT):

  • Uninstall QuickTime (OK, kinda extreme)
  • Block the rtsp:// protocol (given how much we love streaming media, not likely either)
  • Disable the RTSP protocol handler (reasonable, depending on your risk tolerance) Mac OS X users can disable the RTSP protocol handler by editing the ~/Library/Preferences/com.apple.LaunchServices.plist file with Property List Editor. Change the LSHandlerRoleAll value associated with the rtsp LSHanlderURLScheme to something other than com.apple.quicktimeplayer. This process can be simplified by using an application such as RCDefaultApp.
  • Disable QuickTime as the RTSP protocol handler on OS X (reasonable…you can pick RealPlayer as an alternative). To disable the RTSP registered protocol handler in OS X open ~/Library/Preferences/com.apple.LaunchServices.plist and look through ahundred or more entries to find RTSP and change it to something else.
  • Do not access QuickTime files from untrusted sources (duh). Attackers may host malicious QuickTime files on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.
  •  

AOL Video & Amazon Unbox Hook Up

[qi:_newteevee] AOL Video is going to drop its own for-pay download offerings in favor of Amazon Unbox, according to company officials. AOL will integrate links to Amazon Unbox, while content will be integrated throughout AOL Video and in relevant video search results across the site. The integration of Unbox within AOL Video begins tomorrow and will be complete in about a week. Continue [email protected] NewTeeVee

Your Leopard Love Affair

index_hero20071016.jpg Iyaz Akhtar wrote earlier about some of the new features in Leopard, set to debut in nine days. The full list spans over 300 new features — some of them niftier than others.

This is my first major OS X upgrade since I switched (back) to Mac, and it struck me as funny that a friend wants to wait a week to see what issues come up with Leopard. (Isn’t that what beta testing is for?) So I have two questions for you, dear readers:

  1. Are you planning to upgrade to Leopard immediately or soon after it becomes available on October 26th?
  2. What 1 or 2 new features or enhancements are you most excited about?

I’ve already preordered my copy, and I can’t wait for the new AppleScript and scripting bridge as well as beefed up security (especially 256-bit AES).

10.4.11 Updates?

With September ending, and Leopard effectively promised for October, the 10.4.11 ‘fix list’ keeps piling up. That I know of right now, it supposedly should cover: CUPS, VPN and L2TP, audio bugs (Core Audio and .m4a), AFP server issues, USB devices, networking fixes (again), BSD and interlock timeouts, and all kinds of ‘enhancements.’
I know that I, at least have a couple of machines that are not going to be running Leopard ever – they just can’t hack it. They’re fine for their purpose, lab machines all, but they don’t meet system requirements for Leopard and never will. I have only three machines – my Macbook Pro, my G5 Powermac, and a G4 iMac – that can, in fact. Accordingly, I am much more interested in Tiger updates than Leopard. I’ve seen all the reviews and feature lists for Leopard already.
Here’s what I’m hoping for in 10.4.11:

  • Playing .ogg, .wma, and .flac without extra plugins or conversions.
  • Not crashing G4 machines when a Samba share goes missing. (Elegant disconnects.)
  • Pie in the sky, but – an icon editor/replacement app?
  • Reliable time from a network timeserver running on a Windows machine, because there’s nothing like locking an Active Directory password because Kerberos is being cranky.
  • Better interoperability with Active Directory – companies are not going to be switching to Leopard on a large scale yet, and fixing this in Tiger is the way to go.

What do you hope to see?

Open Thread Weekend: We answer tech questions, too

The open thread closes at midnight PDT (UTC -0700). Be sure to get your questions in before then!
Although we at The Apple Blog like to hand down our knowledge and opinions on all things AAPL (sometimes a little too self-righteously, sure, but aren’t bloggers supposed to be snarky and provocative?), the real reason we’re here is to serve cool readers like you. Yep, you! Whether through the articles we write, or by answering the questions you post in open threads, our purpose as TAB bloggers is to offer you assistance and insight into the Apple world and the Cult of Mac.
Is there some technical topic about OS X that has been bugging you for a while? Prof. MacLovin is here to help! Whether it’s configuring launchd(8) services or getting that issue resolved with your blinking AirPort Extreme status light, run it by me. Having problems getting your favorite GNU software to compile? I’ve been there and done that: I feel your pain, and I will ease it. If you accidentally break down your software RAID-1 device in Disk Utility, though, you’re out of luck. I’ve been there and felt that pain, too, and there’s nothing that can be done.
So have it: What’s on your mind? Anything that you’ve been trying to accomplish with your Mac that you can’t quite figure out? We’ll work through it together. Answers to your questions are just a comment away.

Is It A Steal Or Did They Blink?

Microsoft (MSFT) today announced “The Ultimate Steal” deal for Microsoft Office 2007 that gives students a chance to buy Microsoft Office 2007 for $60, a deep discount of 91%. (In comparison Microsoft Office for Mac costs $150 for Student and Teachers Edition.)
This might be small price to pay for the company since it is ensuring that people continue to use its productivity suite. But is it too late? Paul Stamatiou writes:

Granted most of my classmates pirated Office 2007, use Google Docs or use OpenOffice, had Office 2007 been priced under $100, things would have been much different.

I wonder what the students think about this offer – that should be more telling. On a different tangent, will this discounting prompt other customers to ask for deep price cuts as well? If that happens, then it could put Microsoft’s cash cow on a crash diet, giving Office wannabes a chance to gloat.
Ashkan Karbasfrooshan sums it up best when he writes: god bless competition.

Is Classic Really, Seriously, Dead?

bootupIt doesn’t seem all that long ago that my boss prohibited me from bringing the Mac OS X beta to work due to its lack of DVD support, or the years that followed when Mac users everywhere decried Quark’s slow progress away from Mac OS 9. Six years after Mac OS X’s debut, the Classic Environment has gone the way of operating systems past, a digital graveyard of bits and bytes. In fact, I can’t remember the last time I was forced into the Classic Environment, by way of some antiquated software.
In six years’ time, as our Windows brethren have moved from Windows 98 to ME to XP and now Vista, we’ve seen Mac OS X grow and develop through each of its cat-themed releases. Yet the foundation of Mac OS 9 (Classic) remains an option. Should I need to, I can boot the Classic Environment and open ancient apps. I can open the Control Panels and amuse myself with Platinum Sounds effects, launch Key Caps, or tinker with the Chooser.
But rather than being useful, it’s like walking through a museum. Take a look, for instance, at the bundled Search engines in Sherlock. You won’t find Google or Yahoo! here. Instead, you have second-tier sites like Alta Vista, Excite and Lycos, along with others you probably haven’t heard of in a while: GoTo.com, HotBot, and DirectHit.

sherlock_searches
Sherlock’s Search Engine Offerings

By now, in the second half of 2007, every technology laggard has either finally released an OS X capable application, abandoned the Mac, or given way to a new, faster-moving competitor. Is there any reason for Classic any more? What’s the likelihood of finding a need to boot into OS 9 for more than misguided nostalgia? Or was Steve Jobs right when he told developers in 2002 it was time to bury the OS, once and for all? (CNET | YouTube Video)

Happy Mother’s Day!

I spent the day with my Mom as it is Mother’s Day here in the US and it was a good time for all.  Happy Mother’s Day to you all, either for you or your Moms.  If you can’t visit your Mom as I did at least give her a call, and if you’re in North America don’t forget SkypeOut calls are free to anywhere in the world.

T-Mobile confirms tomorrow’s Windows Mobile 6 upgrade for Dash

Wm6upgrade_dash

I’m still busy, busy, but at least now you’ll all know one of the items I was working on this morning. We just got direct word that T-Mobile Dash customers can upgrade to Windows Mobile 6 tomorrow, May 4th, at this link. HTC was kind enough for us to get the upgrade a day early and the install process worked flawlessly; it only took about 10 minutes. The ROM flash will wipe out all of your data, installed apps & contacts, so be forewarned. Once I had the upgrade completed, I set my Dash up for Exchange synching and had my mail, contacts, appointments and tasks in just a few minutes. Oh and it’s soooo nice to see Microsoft Voice Command in there. 😉

More observations to follow as we get more hands-on time with the upgrade on the Dash; the full press-release follows.

Read More about T-Mobile confirms tomorrow’s Windows Mobile 6 upgrade for Dash