Apple released Security Update 2006-008
First a quote from MacRumors:
"Apple has released Security Update 2006-008 for Mac OS X 10.4.8 (client and server). The 1.8 MB update addresses a vulnerability in Quicktime for Java and Quartz Composer.
It appears as though the update fixes a vulnerability where a specially-crafted Java applet could obtain images rendered on screen by embedded QuickTime objects and upload them to the originating website. Because QuickTime can be used in conjunction with Quartz Composer, this could theoretically allow a hacker to craft a applet that could obtain an attached (or built-in) iSight camera's images. While external iSight cameras have the ability to physically close an iris and turn the camera off, built-in iSight cameras (such as on the MacBook, MacBook Pro, and iMac) can not be physically turned off."
There is an O'Reilly Network page for testing the exploit.
<http://www.oreillynet.com/lpt/wlg/7409>
Before I applied the update I went there only to be greeted with the page displaying
the live output of my BlackMagic capture card!!!
Next I disabled the drivers for this card and rebooted.
This time the page showed the output of my camcorder which I use for iChat.
At this point I should point out that iChat was NOT running.
I applied the update and rebooted.
This did not fix the problem at all.
A friend with an external iSight tried the same things and after the patch his iSight was still
being broadcast on the page.
This is absurd!
"Apple has released Security Update 2006-008 for Mac OS X 10.4.8 (client and server). The 1.8 MB update addresses a vulnerability in Quicktime for Java and Quartz Composer.
It appears as though the update fixes a vulnerability where a specially-crafted Java applet could obtain images rendered on screen by embedded QuickTime objects and upload them to the originating website. Because QuickTime can be used in conjunction with Quartz Composer, this could theoretically allow a hacker to craft a applet that could obtain an attached (or built-in) iSight camera's images. While external iSight cameras have the ability to physically close an iris and turn the camera off, built-in iSight cameras (such as on the MacBook, MacBook Pro, and iMac) can not be physically turned off."
There is an O'Reilly Network page for testing the exploit.
<http://www.oreillynet.com/lpt/wlg/7409>
Before I applied the update I went there only to be greeted with the page displaying
the live output of my BlackMagic capture card!!!
Next I disabled the drivers for this card and rebooted.
This time the page showed the output of my camcorder which I use for iChat.
At this point I should point out that iChat was NOT running.
I applied the update and rebooted.
This did not fix the problem at all.
A friend with an external iSight tried the same things and after the patch his iSight was still
being broadcast on the page.
This is absurd!
G5 1.8 DP (PCI-X), Mac OS X (10.4.8), ATI X800 XT, 4GB RAM, 20" & 23" ACDs, M-Audio Revolution 5.1, Fostex D15 DAT
