The Quicktime update, to version 7.2 includes eight security vulnerability fixes some of which will allow code execution. It also includes updates to the H.264 codec, support for full screen viewing and “numerous bug fixes”. The update requires a reboot on both Mac and Windows.

The iTunes update brings iTunes to 7.3.1 and fixes a problem with iTunes 7.3 accessing the library. No other changes are documented.

Both patches are available through Apple software update or from the Apple download page.

One is in Webcore and can allow cross-site scripting attacks.

The second patched vulnerability was in Webkit and could allow remote code execution.

The update is available through Software Update or as a standalone download and requires a reboot.

This security vulnerability is described by Apple as:

…the reception of specially crafted IPv6 packets may lead to a reduction in network bandwidth.

This is a relatively low risk vulnerability as it doesn’t include a potential loss of data and doesn’t allow the installation of malicious software. The update also includes security patches released since 10.4.9.

The update is available through the Software Update feature of OS X or as a standalone download. The Intel version of the update is a 49MB download when done through Software Update (click the thumbnail to see notification full size). The update is also available as a standalone installer in four forms. There are downloads for the Power PC (PPC) and Intel CPUs. Then each CPU has a “delta” update which requires that 10.4.9 already be applied and a much larger “combo” update which includes all previous updates to OS X 10.4.

I applied the update to two Intel Macs without incident. Like previous updates the first reboot after the patch is significantly longer than usual.

This patches the same flaw that was plugged in OS X last month.

At first I thought this was interesting but probably not a problem. Apple TV’s seem limited in what they can do plus they usually reside on a home network behind a NAT router. Apparently this isn’t entirely true and will become even less true as features such as viewing YouTube videos and (maybe) movie rentals are added to Apple TV. Plus the vulnerability exists in UPnP IDG (Universal Plug ‘n Play Internet Device Gateway) which is used by many NAT routers to enable devices like Apple TV to get on the Internet. At least one security researcher was quoted as saying this is a serious flaw.

The update is only available through Apple TV’s self-update feature. Apple TV checks for updates on a weekly schedule so it may be up to a week before it receives the update. You can also manually trigger the update by selecting Settings -> Update Software from the menu.

After applying the update the software version will be 1.1. You can check the version by selecting Settings -> About from the menu.

Apple has also released an update to iTunes that now includes support for DRM free music. This update doesn’t have any security implications.

According to the Apple notification it contains updates to the following components:

• bind
• CarbonCore
• CoreGraphics
• crontabs
• fetchmail
• file
• iChat
• mDNSResponder
• PPP
• ruby
• screen
• texinfo
• VPN

The update is for both Intel and PPC macs.

One of the Macs was hacked on the second day, which made headlines (in the types of publications that care about such things). The headlines tended to be slanted in one of two directions. Some emphasized that Mac security was breached and equated it to the worst windows vulnerabilities. They left out the details. On the other side the articles were slanted towards the fact that the breach only occurred after the rules were relaxed and that the breach didn’t get root access. This was true and more detailed than the sensational headlines in the first category, but they tended to imply the breach was meaningless.

The facts are:

• The Mac was breached when it visited a malicious website
• The vulnerability is in Quicktime (Initial reports that it was a vulnerability in Safari were wrong.)
• Both Firefox and Safari could be used to deliver the vulnerability
• Windows is also considered vulnerable (if it has Quicktime)
• The vulnerability was found by a security researcher and the exploit was actually delivered by a friend of his. The friend is keeping the MacBook, the researcher is applying for the $10,000 bounty offered by TippingPoint.
• A second Mac, which required a hacker to get root/administrator level access and did not surf the web was not breached.

What does this all mean, if anything?

Starting at the top, it was necessary to visit a website to be breached. The OS used doesn’t affect whether or not a person visits a website. So social engineering is universally available to every OS with a web browser. (I’ll avoid the path which talks about which OS has “smarter” users.) The best that can be said is that since there’s more windows users they’re more likely to be affected if the vulnerability is OS specific. But do exploits have to be OS specific?

The vulnerability was in Quicktime which is essentially a third party app. I don’t say this to claim OS X wasn’t hacked. Apple created Quicktime and delivers it with every new Mac. Apple is responsible for it and for updating it. But Quicktime is essentially a 3rd party app made by the same company as the OS so it’s bundled. The vulnerability is also thought to exist in the Windows version (for obvious reasons the exact details of the vulnerability aren’t public). The Macromedia (now Adobe) Flash Player is another 3rd party web-helper app that has had vulnerabilities in the past. OS venders can’t prevent vulnerabilities in 3rd party apps, the most they can do is mitigate their effect.

Both Firefox and Safari could be used to run the exploit. This isn’t surprising since the vulnerability was in Quicktime. But it does mean any modern browser could probably be used.

Windows, with Quicktime, is also vulernable (or it’s thought to be). By exploiting a vulnerbility in a third party app it’s possible to exploit multiple OS’s. The greatest number of PCs are still Windows so the payload delivered by the exploit might be Windows only if the hacker is lazy or just wants the biggest bang. But it’s not difficult to determine the OS used so it would be trivial to deliver an OS specific exploit for various OS’s through the same exploit. It’s just a matter of writing each exploit.

The exploit was found as part of a contest with a prize of a Macbook and was submitted for a $10K prize. Year’s ago it might have been enough to be able to claim bragging rights. Now money is a prime motivator. Money motivates hacking for both good (bounties, paychecks) and for bad (sell spam distribution, steal passwords). An OS will be targeted when the financial rewards justify the efforts.

Root level access was not obtained, “only” user level access. While this may be the best a current OS can do when a 3rd party app is hacked it still does not mean we aren’t at risk. Programs installed into the user’s folders do not require a password to install and run. As Windows PCs become more secure hackers may have to learn to live with user-level hacks in the Windows world. Since that world is so large there’s a bigger financial reward for success. Once the lessons are learned there they will be trivial (low cost) to transfer to the OS X world. So while OS X may have a smaller user base (and therefore reward) the cost to hack OS X will also drop. Most of what hacker’s want is available though user level access, just easier when you can own the machine as an administrator. It just means you need to be signed on (unless they find a way around that) but many PCs and Macs use auto logons and most PCs stay always logged on when ever they are turned on.

Of course, the old unavoidable hacks persist as evidenced by the recent animated cursor exploit for which we were defenseless for awhile and could be exploited without us having to click anything (although receiving an email or going to a website were still required). But their numbers are decreasing.

I wouldn’t be surprised to learn that a PC installed with Vista (latest patches, additional software or settings) would be as secure as OS X. But what will bite Microsoft is that they don’t control the installations, the resellers do. Since tight security means more support calls (which go to the vendor, not to Microsoft) I wouldn’t be surprised to learn that what’s actually shipping is not as secure as it should be.

The best protection Mac users have is that there’s an extremely large population of vulnerable Windows machines out there and exploiting them is easy. In Windows XP Service Pack 2 Microsoft turned on the firewall by default. This made it much harder to just scan the internet looking for open ports to exploit and deliver a payload. This brought a drop in the spread of viruses through that method but an increase in other methods such as email and malicious websites. These are methods which require a user to take action (again, with some exceptions when a vulnerability can be exploited to bypass user action). With the firewall change the hackers changed their tactics to other profitable methods. I won’t be surprised to learn that web based attacks are becoming more sophisticated and will use cross-platform applications to exploit multiple OS. And as more applications work cross platform we’ll probably see more multiple OS aware attacks through their data files.

The good news is that Mac OS X has good security and Microsoft Windows is getting more secure as Microsoft learns it’s lessons. Us humans are now being targeted as the weak link but we do have control over where we browse and what email we open. The bad news is that there are still software vulnerabilities so that even the most careful of us are still at risk, although less risk than before.

The point isn’t which is more secure, OS X or Linux. The point is whether or not your computing habits and the software you use are secure. If they aren’t secure then no matter which OS you use it’s only a matter of time before you have problems.

News.com has a good story about the hack that emphasizes the details instead of the hype.