Apple fixes QuickTime flaw

By Bill Brenner, Senior News Writer 02 May 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

New York hacker Dino Di Zovie won a $10,000 cash prize for using the QuickTime flaw to hijack a Mac OS X machine.

The contest was designed to raise awareness of the threats facing Mac users, who tend to see Apple's OS as a more secure alternative to Microsoft Windows and its much-attacked Internet Explorer browser, conference organizers said. But since the contest, researchers have determined that the QuickTime flaw threatens both the Mac and Windows operating systems and that any Java-enabled browser is a viable route of attack, whether it's Safari, Mozilla Firefox or Internet Explorer.

Apple Mac hacks: Mac hack puts Apple faithful on the defense: A much-hyped QuickTime exploit threatens Mac OS X and Windows browsers, but the Apple faithful feel the greatest sting. Mac hack tied to Apple QuickTime flaw: A researcher won a Mac hacking contest by exploiting a hole in Apple QuickTime. The flaw is also a threat to those who use Firefox, Safari and Windows.

Apple said in its advisory that an implementation issue exists in QuickTime for Java. "By enticing a user to visit a Web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution," Apple said, adding that its update fixes the problem by performing additional bounds checking when creating QTPointerRef objects.

Di Zovie hijacked the Mac by exploiting a flaw in Apple's Safari browser, but it was later determined that he exploited a QuickTime flaw instead. Because the contest was only open to people in attendance at the conference in Vancouver, he forwarded his findings to Shane Macaulay, a friend who was attending the conference. Di Zovie won a $10,000 cash prize offered by 3Com's TippingPoint division. Macaulay reportedly won a MacBook Pro.

Tuesday, Stamford, Conn.-based research firm Gartner said in an online analysis that the QuickTime flaw poses a wide risk and highlights the danger of vulnerability research conducted in public.

Analysts Rich Mogull and Greg Young wrote that while there are no confirmed reports of in-the-wild exploits for the flaw, enterprises should assume they are at risk for a potential breach since the exploit details are now public.

"The sheer breadth of systems and browsers that potentially could be affected means that this could be a serious browser vulnerability," they wrote. "No single safeguard can guarantee complete protection."

They added that public vulnerability research and hacking contests are "risky endeavors" that can run contrary to responsible disclosure practices where vendors are given an opportunity to develop patches or workarounds before public announcements are made.

"Vulnerability research is an extremely valuable endeavor for ensuring more secure IT," they wrote. "However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities -- which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers."

Tags: Alternative OS security: Mac, Linux, Unix, etc.,  Security Testing and Ethical Hacking,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Alternative OS security: Mac, Linux, Unix, etc. Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method New hacking method stealthily attacks Macs with malware Apple fixes critical QuickTime flaws User provisioning and SSO for PeopleSoft- and Unix-based products Alternative OS security: Mac, Linux, Unix, etc. Research Security Testing and Ethical Hacking Screencast: Samurai offers pen-testing nirvana McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs How to perform Microsoft Baseline Security Analyzer (MBSA) scans Free HP SWFScan tool detects Adobe Flash flaws Flaw disclosure debate polarizes SOURCE Boston panel L0phtCrack returns Information security book excerpts and reviews Should static analysis be a part of the software development process? Cracks in WPA? How to continue protecting Wi-Fi networks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary