Securityficus

http://dvlabs.tippingpoint.com/blog/2007/12/14/new-leopard-security-features—part-iii-sandboxing

This is an interesting article on sandboxing in Leopard.

It’s a feature which allows a user or administrator to limit the actions that a process can do to only the actions that it needs to do. Then, if there is a security vulnerability such as a buffer overflow in the program, when malicious code is injected into the process, it can only do the actions that the process would normally do, thus limiting the potential damage significantly.

In the paper “Some thoughts on security after ten years of qmail 1.0” by Daniel J Bernstein, djb mentions this type of technology as one of the most promising for mitigating security bugs. Specifically, see section 5.2. Of course, he also claims in section 2.5 that “minimizing privilege” is a fundamentally wrong distraction, and the key is minimizing the amount of trusted code, which isn’t the same thing.

Sandboxing can be used for both, and the key to reducing the trusted code base rather than just reducing privilege in general is to intelligently apply appropriate profiles.

See the manpages sandbox(7), sandbox-exec(1), sandbox_init(3), and sandbox-compilerd(8).

http://wslabi.com/wabisabilabi/showBidInfo.do?code=ZD-00000185

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6238

http://wabisabilabi.blogspot.com/2007/11/quicktime-zeroday-vulnerability-still.html

There are a number of other links commenting on this story that you can find if you Google. One notable thing that no one seems to notice is that in the comments section of the wabisabilabi blog post, they acknowledge that the bug only affects QuickTime 7.2. 7.3.1 is the current version, and 7.3 was already out when the bug was first put up for auction. Some 0-day.

 2 comments:

Anonymous said...

    Does your issue affect QT 7.3, which is the current version?
    December 3, 2007 8:07 PM
WabiSabiLabi Staff said...

    No, only vulnerable version is 7.2
    December 10, 2007 2:38 PM

Someone ended up buying it for 500 euro. Which is pretty steep, considering QuickTime’s track record, there are probably more bugs in it that are still unpatched.