Thursday, December 6, 2007

Apple leaves Windows and Mac systems vulnerable

Brian Krebs wrote about an unpatched vulnerability in quicktime being exploited November 27th, 2007. That was nine days ago and Apple hasn't even acknowledged it yet. Hackers have had plenty of time to work on exploits for this vulnerability and now there are two "Universal Exploits" at milw0rm that work on Windows or Mac systems.

Personally, this is beginning to remind me of the time Microsoft had a huge WMF vulnerability just about two years ago. For the first time I felt it was pretty much unsafe to surf the web. Microsoft was dragging their feet on releasing a patch and at that time I decided to get a Mac which I named MS06-001. I was pretty upset at Microsoft around that time for leaving everyone vulnerable for so long. Now here is Apple doing pretty much the same thing but unlike Microsoft, they don't even acknowledge the problem. At least Microsoft tells you that you are pretty much screwed for now.

The SANS Internet Storm Center published a diary that includes some workarounds. These workarounds are not easy for your average user since some kind of technical computer knowledge is needed. Quicktime is so embedded into today's web experience that it is difficult to just install the software (which is what I did, btw). How does your average user even know they have a problem? And then there are logistics to think about if trying to deploy these workarounds in a large network environment. At the time I am thinking of our University which has well over 35,000 systems in a fairly decentralized setup. On one hand I want to recommend the workarounds yet on the other hand I don't. Hearing at least something from Apple would make the decision easier. If a patch is coming soon then maybe it is worth the risk to wait. If a patch is not coming soon than maybe it is worth recommending the workarounds.

There are Apple users that are beginning to get fed up with Apple's lack of response as well. They are virtually begging Apple for a fix and get no response whatsoever. And discussions at MacRumors shows people are worried about it but seem to be somewhat in denial or just not getting it. Numerous posts pretty much state that it will only affect Windows users and Mac users have nothing to worry about. This seems to be the default attitude of a lot of Mac users, unfortunately. The Universal exploit was released in late November yet there isn't a single mention of it in this thread.

This is a serious problem. A lot of what would be considered trusted sites allow users to embed content. It is really hard for the average user to protect themselves in this situation.

No comments: