Home > Security News > Mac hack tied to Apple QuickTime flaw
Security News:
EMAIL THIS LICENSING & REPRINTS

Mac hack tied to Apple QuickTime flaw

By Bill Brenner, Senior News Writer
24 Apr 2007 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

The hacker who won a $10,000 contest last week by compromising a Mac OS X machine did so via a security hole in Apple's popular QuickTime media player, according to researchers at Matasano Security LLC.

The New York consultancy said in its Matasano Chargen blog Monday that the QuickTime flaw is also a threat to those who use Safari, Firefox and Windows. Specifically, Matasano said:

  • The exploit targets Java handling in QuickTime.
  • Any Java-enabled browser is a viable attack vector, or route, if QuickTime is installed.
  • Apple's vulnerable code ships by default on Mac OS X and is extremely popular on Windows, where the code introduces a third-party vulnerability.
  • Firefox and Safari are confirmed vectors on MacIntel. Users of both browsers are placed at risk by this vulnerability in Apple's code.
  • Firefox is a presumed vector on Windows if Apple's QuickTime code is installed. Users of Firefox on Windows are presumed to be at risk.
  • Disabling Java stops the vulnerability.

Danish vulnerability clearinghouse Secunia rated the QuickTime flaw highly critical in an advisory.

"The vulnerability is caused due to an unspecified error within the Java handling in QuickTime," Secunia said. "This can be exploited to execute arbitrary code when a user visits a malicious Web site using a Java-enabled browser [such as] Safari or Firefox. Other browsers and platforms may also be affected."

In addition to disabling Java support, Secunia advised users to steer clear of untrusted Web sites.

Initial reports were that New Yorker Dino Di Zovie hijacked the Mac by exploiting a flaw in Apple's Safari browser as part of a contest at the CanSecWest conference in Vancouver. The contest was designed to raise awareness of the threats facing Mac users, who tend to see Apple's OS as a more secure alternative to Microsoft Windows and its much-attacked Internet Explorer browser, conference organizers said.

Di Zovie managed to expose the hole, but because the contest was only open to people in attendance at the conference in Vancouver, he forwarded his findings to Shane Macaulay, a friend who was attending the conference. Di Zovie won a $10,000 cash prize offered by 3Com's TippingPoint division. Macaulay reportedly won a MacBook Pro.

The QuickTime flaw was not addressed in the hefty security update Apple released last week to fix about two dozen flaws.

Sound Off! -   Be the first to post a message to Sound Off!


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts