Mac hack tied to Apple QuickTime flaw

Article

Mac hack tied to Apple QuickTime flaw

Bill Brenner, Senior News Writer
The hacker who won a $10,000 contest last week by compromising a Mac OS X machine did so via a security hole in Apple's popular QuickTime media player, according to researchers at Matasano Security LLC.

The New York consultancy said in its Matasano Chargen blog Monday that the QuickTime flaw is also a threat to those who use Safari, Firefox and Windows. Specifically, Matasano said:

  • The exploit targets Java handling in QuickTime.
  • Any Java-enabled browser is a viable attack vector, or route, if QuickTime is installed.
  • Apple's vulnerable code ships by default on Mac OS X and is extremely popular on Windows, where the code introduces a third-party vulnerability.
  • Firefox and Safari are confirmed vectors on MacIntel. Users of both browsers are placed at risk by this vulnerability in Apple's code.
  • Firefox is a presumed vector on Windows if Apple's QuickTime code is installed. Users of Firefox on Windows are presumed to be at risk.
  • Disabling Java stops the vulnerability.

Danish vulnerability clearinghouse Secunia rated the QuickTime flaw highly critical in an advisory.

"The vulnerability is caused due to an unspecified error within the Java handling in QuickTime,"

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Secunia said. "This can be exploited to execute arbitrary code when a user visits a malicious Web site using a Java-enabled browser [such as] Safari or Firefox. Other browsers and platforms may also be affected."

In addition to disabling Java support, Secunia advised users to steer clear of untrusted Web sites.

Initial reports were that New Yorker Dino Di Zovie hijacked the Mac by exploiting a flaw in Apple's Safari browser as part of a contest at the CanSecWest conference in Vancouver. The contest was designed to raise awareness of the threats facing Mac users, who tend to see Apple's OS as a more secure alternative to Microsoft Windows and its much-attacked Internet Explorer browser, conference organizers said.

Di Zovie managed to expose the hole, but because the contest was only open to people in attendance at the conference in Vancouver, he forwarded his findings to Shane Macaulay, a friend who was attending the conference. Di Zovie won a $10,000 cash prize offered by 3Com's TippingPoint division. Macaulay reportedly won a MacBook Pro.

The QuickTime flaw was not addressed in the hefty security update Apple released last week to fix about two dozen flaws.


Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top