Home > Security News > Mac hack tied to Apple QuickTime flaw
Security News:
EMAIL THIS

Mac hack tied to Apple QuickTime flaw

By Bill Brenner, Senior News Writer
24 Apr 2007 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

The hacker who won a $10,000 contest last week by compromising a Mac OS X machine did so via a security hole in Apple's popular QuickTime media player, according to researchers at Matasano Security LLC.

The New York consultancy said in its Matasano Chargen blog Monday that the QuickTime flaw is also a threat to those who use Safari, Firefox and Windows. Specifically, Matasano said:

  • The exploit targets Java handling in QuickTime.
  • Any Java-enabled browser is a viable attack vector, or route, if QuickTime is installed.
  • Apple's vulnerable code ships by default on Mac OS X and is extremely popular on Windows, where the code introduces a third-party vulnerability.
  • Firefox and Safari are confirmed vectors on MacIntel. Users of both browsers are placed at risk by this vulnerability in Apple's code.
  • Firefox is a presumed vector on Windows if Apple's QuickTime code is installed. Users of Firefox on Windows are presumed to be at risk.
  • Disabling Java stops the vulnerability.

Danish vulnerability clearinghouse Secunia rated the QuickTime flaw highly critical in an advisory.

"The vulnerability is caused due to an unspecified error within the Java handling in QuickTime," Secunia said. "This can be exploited to execute arbitrary code when a user visits a malicious Web site using a Java-enabled browser [such as] Safari or Firefox. Other browsers and platforms may also be affected."

In addition to disabling Java support, Secunia advised users to steer clear of untrusted Web sites.

Initial reports were that New Yorker Dino Di Zovie hijacked the Mac by exploiting a flaw in Apple's Safari browser as part of a contest at the CanSecWest conference in Vancouver. The contest was designed to raise awareness of the threats facing Mac users, who tend to see Apple's OS as a more secure alternative to Microsoft Windows and its much-attacked Internet Explorer browser, conference organizers said.

Di Zovie managed to expose the hole, but because the contest was only open to people in attendance at the conference in Vancouver, he forwarded his findings to Shane Macaulay, a friend who was attending the conference. Di Zovie won a $10,000 cash prize offered by 3Com's TippingPoint division. Macaulay reportedly won a MacBook Pro.

The QuickTime flaw was not addressed in the hefty security update Apple released last week to fix about two dozen flaws.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



More Tips to Secure Your Network
Focused on Channel Security?
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts