Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Closes iSight Security Hole

CmdrTaco posted more than 7 years ago | from the nobody-wants-to-see-me-naked dept.

Security 213

Gruber Duckie writes "Apple's security update 2006-008, posted yesterday, is a little more interesting than it sounds. According to information (and a demo!) posted at Macslash the "information leak" mentioned in Apple's advisory actually makes it possible for a web site to send whatever your (isight) web cam sees up to the server. I'm glad they fixed this quickly."

Sorry! There are no comments related to the filter you selected.

Security Hole? (4, Funny)

Billosaur (927319) | more than 7 years ago | (#17312036)

Or cleverly disguised attempt to monitor people by the Department of Homeland Security? You be the judge!

Re:Security Hole? (4, Funny)

D-Cypell (446534) | more than 7 years ago | (#17312188)

You be the judge!

Can I be the clandestine military tribunal?

Oblig. Buckaroo Banzai quote (1)

transporter_ii (986545) | more than 7 years ago | (#17313488)

Laugh-a while you can monkey boy.





Which is kind of fitting with the Buckaroo article on the front page yesterday!

Transporter_ii

Re:Security Hole? (5, Interesting)

TheRaven64 (641858) | more than 7 years ago | (#17312298)

In his book, 1984, George Orwell proposed the idea of television screens that also acted as camera and allowed a remote viewer to monitor whatever was going on in front of them.

In the year 1984, Apple Computers released an advert for the first Mac with the slogan 'Why 1984 won't be like 1984.'

In the year 2005, Apple Computers released the new iMac, a device with a display screen and integrated camera which allowed a remote viewer to monitor whatever was going on in front of it.

Re:Security Hole? (1)

peragrin (659227) | more than 7 years ago | (#17312710)

I believe it's apple but it could be another company but someone has a patent for inserting a photo receptor along side of LCD color pixels.

by using software to combine the image the screen could literally be the camera.

Good for video conferencing, useful for general security(bars and vegas could suddenly have more camera's at various angles at their disposal), totally 1984.

Re:Security Hole? (2, Funny)

Billosaur (927319) | more than 7 years ago | (#17312714)

In the year 2005, Apple Computers released the new iMac, a device with a display screen and integrated camera which allowed a remote viewer to monitor whatever was going on in front of it.

And in the year 2011, iMacs and iPods will join together in a cyber-network to battle the ultra-powerful PS3 collective. Oops... you weren't supposed to know about that...

Re:Security Hole? (1)

geobeck (924637) | more than 7 years ago | (#17313348)

And in the year 2011, iMacs and iPods will join together in a cyber-network to battle the ultra-powerful PS3 collective.

"Those helmets weren't designed to handle this level of rock'n'roll!" -PS3 (Plankton, Sheldon the Third)

C'mon, we all know the iPods will win with music, right?

Re:Security Hole? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17313400)

That's going to keep me laughing a long time. ESPECIALLY at the mac zealots out there (those who believe it was the perfectly secure OS, but even patched it shows that what some zealots were saying before was an absolute steaming pile of something - there's a Mac user in the office 50 ft from me, i'm going there now to laugh). but FTA "They received code that demonstrated the problem on 05 December, and have a patch in software update as of today (19 December)." is pretty nice time on this patch, let's hope they keep it up - it sets a nice example for their competition *cough*patch tuesday*cough*

Re:Security Hole? (3, Informative)

LurkerXXX (667952) | more than 7 years ago | (#17313688)

Psst, hey anonymous troll. MS used to release patches at random intervals as soon as they were ready as well. They did that for many years. Their huge corporate clients asked them to consolidate the patches to a regular interval so that their tech staff could test and roll them out in synch, saving tons of time testing all their regular and custom built in-house apps with each patch that MS released to make sure nothing broke, then rolling them out to thousands of machines, then testing all their stuff again 3 days later when another patch rolled out, then 5 days later when another patch rolled out, etc, etc.

Patch Tuesday was because of customer requests. This isn't 'competition' against patch tuesday.

Re:Security Hole? (2, Interesting)

internic (453511) | more than 7 years ago | (#17314180)

While what you're saying might well be true, I really don't understand the logic. If MS released patches continuously as they were completed, how would this stop major corporations from testing and deploying them on a regular cycle? Couldn't the corporation equally well still have a "patch Tuesday" where the collect all the current, undeployed patches and begin the process of testing and deploying them? All patches that became ready later than that would be processed in the next cycle. If MS released patches as they were done, each company would have the option of using whatever patching cycle they see fit. What's the benefit of MS forcing everyone to use a specific patching cycle?

Re:Security Hole? (3, Insightful)

djh101010 (656795) | more than 7 years ago | (#17313710)

That's going to keep me laughing a long time. ESPECIALLY at the mac zealots out there (those who believe it was the perfectly secure OS,

You know, it's funny. The ONLY people I ever see who say "perfectly secure" or "bulletproof", are people like you. Maybe you just don't read clearly and you think Mac folks actually are saying it, or maybe you're just an AC trying to stir up discussion. So are you ignorant, or are you lying?

Re:Security Hole? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17314164)

This is hysterical two responses one pro Mac and one Pro MS, i got under the skin of everyone. On the MS post, yeah it's was just a generic comment on MS #'s of patches getting released, in hindsight not much validity to that comment. But to the pro Mac post, WTF you talking about? have you read Slashdot lately? The ONLY people I ever see who say "perfectly secure" or "bulletproof", are people like you, I can safely say that I have never in my life ever even suggested Mac's were secure, i used to screw around with Mac users in a variety of ways so I know the system isn't secure, haven't looked at OSX much, but it's another OS, it can be done, no questions about that, so knowing that why did you lie about my viewpoint? And another either your ignorant or lying comment, why are you able to see what I am reading or have knowledge of what I have read...i have in the past replied to comments where people did say there were no remote holes in Mac OSX, even so far as one who was so stupid he claimed it was secure even if you opened telnet and gave at the admin no one could get in - believe me, the Slashdot comments are filled with comments claiming a bizarre level of security, not all of them, but is a common sight. use the search there buddy, it's your friend, i'm too lazy to go back and post links to show your wrong.
 
now sorry if this offends you, but you did respond with just a flame by added an insult at the end that you have no backing on, if that's the level the discussion is at, then i'm rubber and your glue. oh and i'm AC, cause I dont' give a damn, your djh101010 (656795) and that means absolutely squat to me. geez, say anything bad about Apple on Slashdot....I won't go on a flame here, i'm ending this here as I won't be reading more on this, but partly it was an experiment on where Slashdot views Apple, truth be told, if I was talking about laughing at MS users cause of remote security holes, I honestly believe I would be modded up, talk about Apple in the same boat and your damned to hell. Now I'm not lying or ignorant, but I see a rather unbalanced perspective of security in the OS world for Slashdot and if you don't see that, well then there's a difference of opinion (not ignorant or any other childish insults, some people actually do have a different perspective).....

sorry all, but I am a rather sarcastic little bastard at times /flame off

Tape War (5, Funny)

bill_mcgonigle (4333) | more than 7 years ago | (#17313598)

In the year 2005, Apple Computers released the new iMac, a device with a display screen and integrated camera which allowed a remote viewer to monitor whatever was going on in front of it.

Your Orwellian society is defeated by a piece of tape.

Re:Tape War (1)

Yvan256 (722131) | more than 7 years ago | (#17314246)

Your Orwellian society is defeated by a piece of tape.
And some CD DRM is defeated by a Sharpie marker.

Isn't technology great? In the future, Red Green [redgreen.com] is going to rule the world!

Re:Security Hole? (0)

Anonymous Coward | more than 7 years ago | (#17313656)

Seriously... I knew this shit was gonna happen, which is why I was reluctant to get a macbook. Having a built in camera = asking for trouble.

Re:Security Hole? (1)

FunkeyMonk (1034108) | more than 7 years ago | (#17312644)

People, ANYTHING you do on the internet is not private -- ever!

Re:Security Hole? (2, Funny)

forkazoo (138186) | more than 7 years ago | (#17312658)

Or cleverly disguised attempt to monitor people by the Department of Homeland Security? You be the judge!


I dunno about DHS, but I do know that this report has made me cancel the Christmas orders I had placed for Mac Laptops to give to hot chicks...

And images of (4, Funny)

Timesprout (579035) | more than 7 years ago | (#17312058)

A fat sweaty bearded geek sitting in his parents basement scoffing pizza and jolt while on a raid with his guild is a security issue how exactly?

Nonsense (5, Funny)

CmdrGravy (645153) | more than 7 years ago | (#17312104)

The internet is full of ladies and they all surf practically naked, I know this because this is what they tell me in chatrooms and other socialising sites.

Re:Nonsense (1)

larkost (79011) | more than 7 years ago | (#17312632)

Porn sites are not exactly "socializing sites".

Re:Nonsense (-1)

Anonymous Coward | more than 7 years ago | (#17314254)

They are actually looking for attention - the cost of which is naked flesh - camfrog and paltalk are your friends lol

Re:And images of (5, Funny)

Rakshasa Taisab (244699) | more than 7 years ago | (#17312142)

Uhm, the article said Apple, not Windows.

As is well known, we users of MacOSX are all tall with athletic bodies.

Re:And images of (3, Funny)

hab136 (30884) | more than 7 years ago | (#17312620)

As is well known, we users of MacOSX are all tall with athletic bodies.

Speak for yourself.. I'm a fat sweaty geek sitting in a basement scoffing pizza and Pepsi while on a raid with his guild (WoW for OSX). No beard though, and it's my basement.

Scoffing pizza? (1)

Doctor Memory (6336) | more than 7 years ago | (#17313512)

"Pizza, bah!"

"Your pizza is insignificant compared to the power of the Force!"

"Dude, pizza is, like, so last week, dude..."

ITYM scarfing pizza...

Re:Scoffing pizza? (1)

TheLink (130905) | more than 7 years ago | (#17313764)

scoff is correct.

http://dictionary.reference.com/search?q=scoff

scarf is slang.

Re:Scoffing pizza? (1)

Doctor Memory (6336) | more than 7 years ago | (#17314256)

</whoosh>

Re:And images of (0)

Anonymous Coward | more than 7 years ago | (#17313042)

Its not our fault, we were just born this way!

Re:And images of (1)

blake3737 (839993) | more than 7 years ago | (#17313446)

I am?? Can you tell all the hot girls that?? They don't seem to think so... please convince them for me!!

Re:And images of (1)

Conanymous Award (597667) | more than 7 years ago | (#17314350)

Thank you, fellow OS X user, for making my day with this comment. Unfortunately, I must sue you for the loss of my MacBook's keyboard due to a sudden, violent outburst of tea you just caused.

Re:And images of (1)

vjmurphy (190266) | more than 7 years ago | (#17312158)

Well, understand that my knowledge of computers has come totally from watching TV and movies: my assumption is that while said fat sweaty bearded geek may look like he's raiding with his guild, it's likely that he's accidentally connected to a Department of Defense computer and is actually sending orders to a highly trained team of Navy Seals working undercover. The good news is that these types of things always seem to end well for all involved, with DKP for all.

Re:And images of (1)

jimstapleton (999106) | more than 7 years ago | (#17312162)

given a recent slashdot article [slashdot.org] , I think your comment should be fixed:

A fat sweaty bearded granny sitting in his parents basement scoffing pizza and jolt while on a raid with his guild is a security issue how exactly?

Re:And images of (4, Funny)

un1xl0ser (575642) | more than 7 years ago | (#17312210)

Dude, this was on a Mac... no games. duh

Re:And images of (5, Funny)

operagost (62405) | more than 7 years ago | (#17312308)

Liar. There's Breakout, Super Breakout, and Photoshop!

Re:And images of (1)

shrubya (570356) | more than 7 years ago | (#17312358)

Dude, except for WoW. that game. duh

Re:And images of (1)

Clock Nova (549733) | more than 7 years ago | (#17313136)

Hey, we got Starcraft just last week. That's pretty fun.

Re:And images of (2, Informative)

djh101010 (656795) | more than 7 years ago | (#17313772)

Dude, this was on a Mac... no games. duh

Ignorance, or humor? It's so, so hard to tell. And besides, I could always boot the thing into Windows if I wanted. But by all means, don't let actual facts get in the way of your ignorance and/or joke. /me waits for "one button mouse" comment/

Re:And images of (1)

PoloniumSandwich (1035998) | more than 7 years ago | (#17312222)

It's a security issue if you're in the opposing guild. You haven't seen ".-=AAPL=-. TheJobster" running around with a giant bastard sword?

Re:And images of (0)

Anonymous Coward | more than 7 years ago | (#17313084)

Ahem. On macs?? You have a good chance of having sweaty underdressed graphic artists scoffing Tab while photoshopping.

Dreams...

Too late, Taco! (3, Funny)

elrous0 (869638) | more than 7 years ago | (#17312090)

They didn't update QUITE fast enough. I've already seen you in your underwear.

It's not a pretty sight, folks.

-Eric

I guess we won't be..... (3, Funny)

8127972 (73495) | more than 7 years ago | (#17312096)

..... Able to see cute college co-eds prancing around in their dorms half (of if we're lucky, totally) naked.

Re:I guess we won't be..... (1)

rune-bare-rune (74864) | more than 7 years ago | (#17312180)

I guess this page [cancer.org] would quickly be the first to be subverted with that particular java applet.

 

Wrong demographic for Mac... (1)

xxxJonBoyxxx (565205) | more than 7 years ago | (#17312202)

Wrong demographic for Mac...if you wanted to see male liberal arts majors with rectangular-lensed glasses watch Futurama reruns on bean-bag chairs I think you'd be happier.

Amusing Anecdote (4, Funny)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17313602)

One day I wandered into the closest Apple store and was playing with the latest version of OS X to see if I wanted to upgrade. They all had internet connections and isight cameras and I thought it would be fun to play with them. So I made up a new ichat account and added a few people I knew at the time with a camera on their system to the buddy list to see if they were online. The person available just happened to be a cute college co-ed dating one of my buddies. She's one of those skinny little redheads guys always seem to fall for. Anyway, after I got to try out the video chat feature I took off and thought no more about it.

The next time I talked to her she told me I had brought her a lot of entertainment and some embarrassment. It seems people in the store also wanted to try out the video chat, and since there was an account set up with her on the list, they kept sending her chat requests. This was the entertaining part. The embarrassing part was the first time someone did that, she assumed it was me again, and was not quite fully dressed at the time. She said the guy seemed pretty shocked, but nice enough after she jumped out of the camera's line of sight and pulled on a robe.

Re:Amusing Anecdote (1)

TheLink (130905) | more than 7 years ago | (#17313818)

So she doesn't mind you seeing her "not quite fully dressed"?

Hmmm...

Re:Amusing Anecdote (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17314146)

So she doesn't mind you seeing her "not quite fully dressed"?

Not everyone is a prude :) Besides, I'm living with her old roommate, who is cuter yet, which puts me in the "safe" category as far as most women are concerned.

Re:Amusing Anecdote (3, Funny)

Woy (606550) | more than 7 years ago | (#17314236)

... Looking back, most industry executives agreed that the singular moment that propelled Apple to its current 97% marketshare was a lone post on what was then just another Internet forum, and not the brain center for the world government it is today: "The post from '99 [99BottlesOfBeerInMyF] really just got things started," says Steve Jobs, "Up until then we were kind of sitting around wondering how to sell all those shiny computers. We knew about girls and cameras, but we didn't think of putting the two together." ninenine and autopr0n agree: "It wasn't so much what the girls said - we couldn't really hear them - but it was the surprised look on their faces and breasts. 'OMG! Pervert!' Man...still sends a shiver down my spine. 'Pervert!'. We weren't quite exploiting sex comercially before, and then, after that post it was like 'ok, we need to get to it and get this done.' And that's what we did." Coming up next on Behind the Games: 99's sex change operation, and '99's friend's battle with fame and amphetamines.

(a tribute)

As Someone Who Doesn't Own A Mac... (3, Funny)

sweatyboatman (457800) | more than 7 years ago | (#17312108)

I personally am disappointed. Imagine the YouTube videos that would have been possible with just a month's worth of such video. I mean, yes, 90% of it would be unshowered nerds with bad posture, but that 10% would have been gold!

Yeah (0)

Anonymous Coward | more than 7 years ago | (#17312128)

Now the all the exhibitionists start using macs..

and... (1)

SuperStretchy (1018064) | more than 7 years ago | (#17312136)

it didn't take till Tuesday of the second week, 2 months after the hole was found either.

Re:and... (1)

cnettel (836611) | more than 7 years ago | (#17312260)

Reservation: I didn't read TFA, I've no idea about CVE numbers, but the CVE number for this issue was first listed as "reserved" over a month ago [mitre.org] . Not two months after it was found, but still six weeks or so.

Re:and... (2, Informative)

petard (117521) | more than 7 years ago | (#17312464)

Apple reserves blocks of CVE numbers in advance, without necessarily having a problem report that matches up. They were told about this on 01 December.

Darn. (4, Funny)

Grendel Drago (41496) | more than 7 years ago | (#17312168)

And Mac users are lithe, sexy art types, too. I know, because the ads tell me so.

Re:Darn. (1)

pnaro (78663) | more than 7 years ago | (#17312278)

And we are too ... if you consider THIS Mac user to be a middle-aged, self-employed unix geek / database administrator / developer. The ads made me so.

Don't believe it (1, Funny)

Anonymous Coward | more than 7 years ago | (#17312178)

I refuse to believe this, it has to be a hoax. Everyone round here keeps saying that only 'Windoze' has security problems, and that Macs are immune. Besides, Mac users don't run with admin rights, so this can't be possible, right?

Would make for a GREAT security wake-up website (4, Interesting)

Jah-Wren Ryel (80510) | more than 7 years ago | (#17312256)

There are a few websites out there that will tell you your IP address, browser type, OS type and even guess at your general geographic location based on things your browser tells it. Some of these sites do it to "shock" people into realizing they are NOT anonymous on the net.

What a great enhancement it would be for such websites to display a picture of the user at his computer! "We know you use a Mac, Live in California and Look like THIS!" Just one visit such a site would go a LONG way to instilling a useful level of caution.

Re:Would make for a GREAT security wake-up website (1)

Peganthyrus (713645) | more than 7 years ago | (#17312392)

You can still do this [oreillynet.com] .

Re:Would make for a GREAT security wake-up website (1)

GrueMoon (990213) | more than 7 years ago | (#17312596)

Thanks a lot - that web page completely froze up my Firefox.

Re:Would make for a GREAT security wake-up website (1)

Peganthyrus (713645) | more than 7 years ago | (#17312768)

Sorry about that. Works fine for me on Safari. I guess Firefox and/or your system doesn't like tiny Quartz compositions.

Re:Would make for a GREAT security wake-up website (1)

Anthracks (532185) | more than 7 years ago | (#17313730)

It froze mine too...on Windows XP. WTF? Why should WinXP care about Quartz? Perhaps I'll have to file a bug.

Re:Would make for a GREAT security wake-up website (1)

Peganthyrus (713645) | more than 7 years ago | (#17313604)

Oops, no, you can't - I just went and plugged in the webcam to check. Seems that any and all QCs that use the 'video input' or 'audio input' are now "unsafe, and cannot be viewed in WebKit", though you only get that warning when linking straight to the .qtz. Well, that's no fun!

You know, people can get audio and video through the Flash player too and nobody's gone hogshit.

Why didn't anybody tell me? (4, Funny)

UnknowingFool (672806) | more than 7 years ago | (#17312264)

[Stops dancing wildly in front of computer]
Nobody saw that, right?

Am I the only one (5, Interesting)

LittleBunny (1021415) | more than 7 years ago | (#17312328)

Am I the only one who wishes that the laptops with the built-in iSight had a way to manually close the shutter, like the standalone iSight? I always keep mine closed when I'm not using it, but the lack of such a shutter on the laptops makes me profoundly uncomfortable at the thought of owning one. Maybe this sort of thing will serve as a wakeup call?

Re:Am I the only one (3, Funny)

Orthodork (975038) | more than 7 years ago | (#17312350)

Duct tape will manually close the shutter. And a tinfoil hat will keep those nasty thoughts out of your head a little better.

Re:Am I the only one (2, Funny)

LittleBunny (1021415) | more than 7 years ago | (#17313124)

I've tried the tinfoil hat, believe me. Multiple layers, even. It seems to have no discernable effects on nasty thoughts. But then, maybe I just haven't given it enough time.

Re:Am I the only one (1)

OldeTimeGeek (725417) | more than 7 years ago | (#17313396)

It works better if you nail it down. Or so I've been told...

Re:Am I the only one (1)

Sierran (155611) | more than 7 years ago | (#17312642)

Heh. You're not the only one. Despite fears of being called a paranoiac, and despite assurances that the 'in use' LED would warn me, I have this nice little stuffed penguin, see...and when I place him atop my iMac, his beak fits just precisely over the camera lens.


Now all those unscrupulous bastards at DHS need to do is realize that my cat is a) home all day and b) bribable with kibbles and I'm *screwed*.

Re:Am I the only one (5, Funny)

geobeck (924637) | more than 7 years ago | (#17313406)

...I have this nice little stuffed penguin, see...and when I place him atop my iMac...

So you're using a Linux patch for your Mac vulnerability?

Re:Am I the only one (0)

Anonymous Coward | more than 7 years ago | (#17312830)

Am I the only one who wishes that the laptops with the built-in iSight had a way to manually close the shutter, like the standalone iSight?

Some guy makes and sells a $10 bit of plastic [theipatch.com] that does what you want.

If you want to disable it permanantly it only takes a little drop of glue to disfigure the lens so the camera doesn't show anything useful...

Re:Am I the only one (1)

soft_guy (534437) | more than 7 years ago | (#17314094)

There are inexpensive third party covers for the built-in iSight that stay on real well and don't damage the computer/camera.

Whew! (0)

Anonymous Coward | more than 7 years ago | (#17312402)

Good thing I'm running Linux...

Nothing to iSight here... (2, Funny)

Rastignac (1014569) | more than 7 years ago | (#17312418)

...move along. ;)

Why this is interesting (4, Informative)

daveschroeder (516195) | more than 7 years ago | (#17312434)

Of course, an application running on your local machine can do anything it wants. So it's not surprising that a malicious Java applet/application could, well, do malicious things.

For those who don't know, a Quartz Composer composition saved as a QuickTime movie can display the iSight image locally. Since QuickTime movies can be embedded in web pages, you can create a movie that displays the *local* iSight image back to the person, locally. Nifty, right?

But is interesting is that via Java hooks in QuickTime for Java, a Java applet could be used in conjunction with this Quartz Composer movie to do anything that a Java applet could instruct QuickTime to do - including take a shot of whatever is being displayed in the QuickTime movie - and then do anything else a Java applet could be designed to do - in this case, potentially send that image somewhere.

So, this could be done on any platform with a camera, since all it is is malware running to perform a specific task.

But what's more interesting is:

- All Mac OS X systems will always have QuickTime, and thus always have the capability to run such a composition
- All Apple laptops have cameras that cannot be easily disabled (of course (unless the LED is burnt out) due to the way the iSight is set up electrically, the green light will always be on when in use)

The ubiquitousness of iSight camera is what makes this little trick interesting. It also raises issues such as: why didn't Apple offer an option to delete the camera (especially for government/military customers, as other vendors, like Palm, do), and why didn't Apple offer a mechanical shutter for the iSight on all models?

In any case, it's fixed with Security Update 2006-008, but a legitimate Java application, i.e., one you trust, could still do just that. Which stands to reason, of course, since code running on your machine - even if instantiated by a web page - can really do anything that you have permission to do, including delete files. That's the nature of applications.

One other note: you can indeed disable the iSight by (re)moving: /System/Library/Extensions/Apple_iSight.kext /System/Library/QuickTime/QuickTimeUSBVDCDigitizer .component

In sum, the reason why this is interesting is because of the ubiquitousness of the Apple iSight on Apple laptops and the fact that it's ready for use. But, someone still has to visit a malicious site and run a malicious Java applet - user interaction: the hallmark of Mac OS X vulnerabilities!

Re:Why this is interesting (1)

galego (110613) | more than 7 years ago | (#17313532)

- All Apple laptops have cameras that cannot be easily disabled (of course (unless the LED is burnt out) due to the way the iSight is set up electrically, the green light will always be on when in use)

What .. just like those that save a piece of the packaging to act as a buffer between the keyboard and screen on their laptops... save a piece of tape [duct|electrical|masking] to patch that [security] hole.

:p

Re:Why this is interesting (5, Informative)

daveschroeder (516195) | more than 7 years ago | (#17313888)

I should also note that, for government/military customers, Apple does have a contractor that can physically disconnect the iSight and internal microphone as part of the procurement process, and meets GSA schedules and requirements for "no-camera" or "no-microphone" environments; additionally, infrared, Bluetooth, and AirPort can also be disabled. This does not void any waranties. That contractor is:

Holmans [holmans.com]
6201 N. Jefferson Ave
Albuquerque, NM 887109
Tony Greiner
505 343 3529
tgreiner@holmans.com

GSA schedule GS-35F-0341N
DOE authorized (LLNL and LANL)
DOE "L" clearance personnel

For individual customers, any Apple Authorized Service Provider [apple.com] can disconnect any or all of the above components, and are happy to accommodate such requests. Such requests also do not void warranties.

Again, these components can all be disabled by software means in managed environments where physical disconnection/removal of the device(s) is not a requirement.

I should note that this trick could technically be done any any platform with a camera: run malicious software designed to send imagery from an attached camera somewhere. But in the case of Mac OS X on Apple hardware, it becomes interesting because Apple has already done all the work to drive the camera and display within QuickTime (via Quartz Composer, the integrated camera and drivers, and so on), and then QuickTime for Java can be used via a malicious Java application or applet (which still has to be run, of course) to send images remotely. After Security Update 2006-008, a Java applet (unless it is a signed applet that is specifically allowed by the user) can no longer make such such calls to QuickTime for Java.

Re:Why this is interesting (0)

Anonymous Coward | more than 7 years ago | (#17313900)

Seriously. If you want EASILY and QUICKLY disable iSight, what about just putting a piece of tape over the camera?!

Keep their little heads in the sand. (2, Insightful)

delire (809063) | more than 7 years ago | (#17312440)

Got to love the idea of using an OS whose scope of security vulnerability need to be 'leaked' to be known.

Fsck that..

Re:Keep their little heads in the sand. (2, Informative)

delire (809063) | more than 7 years ago | (#17312526)

Yes I realise I just had an RTFA parse error..

No security hole -- RTFrigginA (2, Informative)

Deep Fried Geekboy (807607) | more than 7 years ago | (#17312580)

If Cmdr Taco had actually read the friggin' MacSlash article he links to, and scrolled down to the comments, he'd see that the 'exploit' is not fixed by this patch and what's more, doesn't send info to the server. Fer feck's sake.

Re:No security hole -- RTFrigginA (0)

Anonymous Coward | more than 7 years ago | (#17313054)

Uhh... you need to RTFA and look at the demo. The exploit is the ability to send the picture to the server, and that works if you haven't patched. The old prank movies that don't send the picture to the server (they're related to the exploit but are only part of the equation) still work after the patch.

Re:No security hole -- RTFrigginA (0)

Anonymous Coward | more than 7 years ago | (#17313594)

FTFSA:
Description: Java applets may use QuickTime for Java to obtain the images rendered on screen by embedded QuickTime objects and upload them to the originating web site. When this facility is used in conjunction with Quartz Composer, it becomes possible to capture images that may contain local information. This update addresses the issue by disallowing Quartz Composer compositions in unsigned Java applets. Quartz Composer compositions continue to function locally.

Continue to work locally and prevent Java applets from uploading images to the originating website.
It also sounds like the problem may have been more widespread than just iSight feeds... like any QuickTime embedded object.

Re:No security hole -- RTFrigginA (3, Informative)

annodomini (544503) | more than 7 years ago | (#17313334)

And if you had read the Security Advisory [apple.com] , you would have seen that the problem they were fixing was about data being sent to the server and was fixed. They did not remove quartz composer functionality from Quicktime movies, so the movies you can download that show you to yourself, possibly with some effects added, still work (and are still a little creepy), but they only display the picture locally. What they did was remove the functionality from unsigned Java applets to embed such movies, because those applets could take the image produced by Quicktime and send it back to the server, which was a real problem.

Re:No security hole -- RTFrigginA (3, Informative)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17313450)

What they did was remove the functionality from unsigned Java applets to embed such movies, because those applets could take the image produced by Quicktime and send it back to the server, which was a real problem.

Yeah, too bad Sun announced yesterday [sun.com] a flaw in all their runtime environments that allows untrusted applets to access data from trusted applets. I don't think Apple has squashed that one, so there is still some potential for mischief.

just like flash? (2, Informative)

zen611 (903428) | more than 7 years ago | (#17312656)

Doesn't flash do this already? As a "feature"?

Yeah, just like that, except: (1)

mbessey (304651) | more than 7 years ago | (#17313508)

The "feature" of sending video to random strangers on the Internet is disabled by default for Flash, and was enabled by default for QuickTime/Java beore this patch was issued.

Sun (2, Funny)

BenjyD (316700) | more than 7 years ago | (#17312836)

I guess this kind of thing is why Sun put a mechanical lens cover on their webcams.

Whew! (0)

Anonymous Coward | more than 7 years ago | (#17312996)

Good thing I'm using IE7 + Windows XP on my Mac Book. Oh wait...

Shameful this hasn't shown up yet. (5, Funny)

0100010001010011 (652467) | more than 7 years ago | (#17313034)

In Soviet Russia, websites look at you!

Re:Shameful this hasn't shown up yet. (1)

whobutdrew (889171) | more than 7 years ago | (#17313390)

Hahahah nicely done!

Closes iSight (security hole) (3, Funny)

ezzewezza (84083) | more than 7 years ago | (#17313204)

Just makes me think:

It is pitch black. You are likely to be eaten by a grue.

So.... (1)

netsfr (839855) | more than 7 years ago | (#17313516)

does this mean that next months "Month of OSX bugs" is now one day (bug) short?

it's a feature! (0)

Anonymous Coward | more than 7 years ago | (#17313570)

You guys have it all wrong. It's not a security hole, it's feature!
They wanted to save you the time it takes to post to YouTube.

/View mode (2, Interesting)

dpbsmith (263124) | more than 7 years ago | (#17313610)

Back in the late 1980s and early 1990s, Compuserve's "CB simulator," Delphi, and other services provided text-based multiway services of the kind now known as "chat."

It was fairly common for someone to make a joking about how they were or were not dressed. A common reply was for someone else to type something like /view mode on

and tell the group that he or she could now verify whether or not first speaker had been telling the truth. Occasionally the first speaker would be naive and gullible enough to believe it.

Little did I know that /view mode would actually be implemented within my lifetime.

Oh my god (0, Troll)

Thabenksta (125165) | more than 7 years ago | (#17313624)

Haha, a security hole in a Mac! Look everyone, they suck like M$!

Let's make a big deal about it and pretend like whatever operating system we happen to enjoy is perfect.

silence is golden (1)

GanjaManja (946130) | more than 7 years ago | (#17313972)

Interesting that it got fixed before it was all over the net that it even existed... who knew about this before the security update was posted (yesterday on my mac)?

Sounds like an old SunOS issue (1)

Stonent1 (594886) | more than 7 years ago | (#17314034)

Some versions of SunOS had /dev/audio set with permissions that anyone could access it. So someone would just have to telnet into the computer with a non-root account and dd if=/dev/audio of=/export/home/joeschmoe/capture and get a dump of anything being said in that room.

What about the microphone? (0)

Anonymous Coward | more than 7 years ago | (#17314128)

Even more scary. No LED. Can hear far away.

Re:What about the microphone? (1)

Yvan256 (722131) | more than 7 years ago | (#17314282)

Aren't the iSight and microphone supposed to be electronically wired to the LED? I.E. if the iSight and/or microphone are being accessed, the LED lights up?

What Apple ought to do (0)

Anonymous Coward | more than 7 years ago | (#17314284)

Apple could improve security in two ways:

1. Make the built-in camera rotate to several positions: 1. Forward to the user for iChat sessions, 2. To the side to look inside the case and thus at nothing no matter what a virus does (mechanical security), and 3. Backward so users can video tape a class or speech without a $20 mirror gadget.

2. Put a Security option in the Apple menu that'd include the ability, hardwired into the kernel, to shut down: 1. Camera, 2. Mike, 3. WiFi, 4. Bluetooth, 5. Remote Ethernet addresses, 6. All Ethernet addresses, and 7. All outgoing Ethernet traffic. In hostile situations, this would make our Macs deaf, blind and mute to all external attacks.

Give me a break (3, Insightful)

CODiNE (27417) | more than 7 years ago | (#17314356)

So all the high rated posts I see talk about how terrible Apple's security was, 1984 comes true, blah blah blah.

Did any of you bother to try out the exploit? I just did... know what it does? It turns on that bright green LED right next to the camera, the one that tells you when it's on. It's pretty bright and when it turns on all of the sudden, you NOTICE. It then proceeded to crash my browser. Well it may be possible that Apple carefully designed their hardware in such a way that the LED is software controlled and the camera is capable of invisibly monitoring people, there is no evidence to back those claims.

True with proprietary software one just never knows for sure, but honestly let's see someone figure out how to take a picture or make a movie without the light coming on, THEN we can start calling Apple Big Brother. Honestly if that were possible then I'd dump this laptop in a heartbeat since it would require purposely designing it with that in mind.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?