The hacker who won a $10,000 contest last week by compromising a Mac OS X machine did so via a security hole in Apple's popular QuickTime media player, according to researchers at Matasano Security LLC.
The New York consultancy said in its Matasano Chargen blog Monday that the QuickTime flaw is also a threat to those who use Safari, Firefox and Windows. Specifically, Matasano said:
- The exploit targets Java handling in QuickTime.
- Any Java-enabled browser is a viable attack vector, or route, if QuickTime is installed.
- Apple's vulnerable code ships by default on Mac OS X and is extremely popular on Windows, where the code introduces a third-party vulnerability.
- Firefox and Safari are confirmed vectors on MacIntel. Users of both browsers are placed at risk by this vulnerability in Apple's code.
- Firefox is a presumed vector on Windows if Apple's QuickTime code is installed. Users of Firefox on Windows are presumed to be at risk.
- Disabling Java stops the vulnerability.
Danish vulnerability clearinghouse Secunia rated the QuickTime flaw highly critical in an advisory.
"The vulnerability is caused due to an unspecified error within the Java handling in QuickTime," Secunia said. "This can be exploited to execute arbitrary code when a user visits a malicious Web site using a Java-enabled browser [such as] Safari or Firefox. Other browsers and platforms may also be affected."
In addition to disabling Java support, Secunia advised users to steer clear of untrusted Web sites.
Initial reports were that New Yorker Dino Di Zovie hijacked the Mac by exploiting a flaw in Apple's Safari browser as part of a contest at the CanSecWest conference in Vancouver. The contest was designed to raise awareness of the threats facing Mac users, who tend to see Apple's OS as a more secure alternative to Microsoft Windows and its much-attacked Internet Explorer browser, conference organizers said.
Di Zovie managed to expose the hole, but because the contest was only open to people in attendance at the conference in Vancouver, he forwarded his findings to Shane Macaulay, a friend who was attending the conference. Di Zovie won a $10,000 cash prize offered by 3Com's TippingPoint division. Macaulay reportedly won a MacBook Pro.
The QuickTime flaw was not addressed in the hefty security update Apple released last week to fix about two dozen flaws.