Apple Inc. has fixed the QuickTime flaw at the heart of a controversial Mac hacking contest during the recent CanSecWest conference in Vancouver -- a contest research firm Gartner Inc. deems bad for security.
New York hacker Dino Di Zovie won a $10,000 cash prize for using the QuickTime flaw to hijack a Mac OS X machine.
The contest was designed to raise awareness of the threats facing Mac users, who tend to see Apple's OS as a more secure alternative to Microsoft Windows and its much-attacked Internet Explorer browser, conference organizers said. But since the contest, researchers have determined that the QuickTime flaw threatens both the Mac and Windows operating systems and that any Java-enabled browser is a viable route of attack, whether it's Safari, Mozilla Firefox or Internet Explorer.
Apple said in its advisory that an implementation issue exists in QuickTime for Java. "By enticing a user to visit a Web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution," Apple said, adding that its update fixes the problem by performing additional bounds checking when creating QTPointerRef objects.
Di Zovie hijacked the Mac by exploiting a flaw in Apple's Safari browser, but it was later determined that he exploited a QuickTime flaw instead. Because the contest was only open to people in attendance at the conference in Vancouver, he forwarded his findings to Shane Macaulay, a friend who was attending the conference. Di Zovie won a $10,000 cash prize offered by 3Com's TippingPoint division. Macaulay reportedly won a MacBook Pro.
Tuesday, Stamford, Conn.-based research firm Gartner said in an online analysis that the QuickTime flaw poses a wide risk and highlights the danger of vulnerability research conducted in public.
Analysts Rich Mogull and Greg Young wrote that while there are no confirmed reports of in-the-wild exploits for the flaw, enterprises should assume they are at risk for a potential breach since the exploit details are now public.
"The sheer breadth of systems and browsers that potentially could be affected means that this could be a serious browser vulnerability," they wrote. "No single safeguard can guarantee complete protection."
They added that public vulnerability research and hacking contests are "risky endeavors" that can run contrary to responsible disclosure practices where vendors are given an opportunity to develop patches or workarounds before public announcements are made.
"Vulnerability research is an extremely valuable endeavor for ensuring more secure IT," they wrote. "However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities -- which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers."