Mac hacked through QuickTime flaw

By Joris Evers
Staff Writer, CNET News.com Published: April 24, 2007 11:39 AM PDT

Tools

Related Stories: MacBook hacked in contest at security event
April 20, 2007; Apple plugs eight QuickTime holes
March 5, 2007; Offering a bounty for security bugs
July 24, 2005

The security hole used to breach a MacBook in a hack-a-Mac competition last week lies in Apple's QuickTime media player, the flaw finder said Tuesday.

The vulnerability is related to how QuickTime handles Java, said security researcher Dino Dai Zovi. An attacker can exploit the bug through Safari or Firefox, he said. Initial reports were that the flaw was in Safari, Apple's Web browser.

"It is a vulnerability within QuickTime. Safari and Firefox on Mac OS X are vulnerable," Dai Zovi said. QuickTime is also widely used on Windows machines, so Windows users may also be at risk, he said. "At this time, Firefox on Windows is considered at risk," Dai Zovi said.

Security monitoring company Secunia deems the flaw "highly critical," one notch below its most serious rating. "This can be exploited to execute arbitrary code when a user visits a malicious Web site," Secunia said. Apple's most recent QuickTime security update was in March.

Shane Macaulay, a software engineer and a friend of Dai Zovi's, hacked into a MacBook using the QuickTime security hole on Friday. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference in Vancouver, British Columbia.

The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack more familiar to Windows users.

Apple has declined to comment on the MacBook hack specifically, but spokeswoman Lynn Fox last week provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users," she said.

Further details on the flaw are being kept confidential until Apple patches it. Dai Zovi has submitted the vulnerability to TippingPoint's Zero Day Initiative bug bounty program. TippingPoint, which sells intrusion prevention systems, had offered a $10,000 prize for a Mac zero-day vulnerability to make the CanSecWest contest more appealing to hackers.

"TippingPoint has offered to purchase the vulnerability and I have agreed, payment is pending," Dai Zovi said.

Disabling Java in a browser shields a computer against attacks that exploit the flaw, Dai Zovi said. Macs are vulnerable by default because Apple ships QuickTime with the operating system. Windows users are only vulnerable if QuickTime is installed.

More from News.com on this story's topics: Security threats
Create an email alert | RSS feed; Media players
Create an email alert | RSS feed; Flaws
RSS feed; Apple
Create an email alert | RSS feed

See more CNET content tagged:
Apple QuickTime, TippingPoint Technologies, Apple MacBook, vulnerability, Apple Computer

Add a Comment (Log in or register) 14 comments (Page 1 of 1)

YAQTF
by mjm01010101 April 24, 2007 12:18 PM PDT: Yet Another QuickTime Flaw. I think this is like the 100th one this year now?; Reply to this comment View all 3 replies
Processing

The Empire Strikes Back....
by Jon N. April 24, 2007 1:28 PM PDT: (Pipe in "The Imperial March" from "Star Wars: The Empire Strikes Back") It's a dark day for the republic. When the discovered flaws are within the apps themselves, and not within the operating systems, then it is a very dark day indeed for personal computing, and their end users. The flaws are now in the inter-operable apps themselves! That means that not only the operating system platforms that we use are now vulnerable, but the other apps that they use within them are now vulnerable, too. A sad day, indeed. Now, how soon will Mozilla, Sun, Apple, & Microsoft will issue patches and/or work-arounds? I think patches will be in this order, but I hope that some anarchistic, anti-establishmentarianist jerk won't exploit this hole before the patch is created and distributed. In the meantime...we wait....; Reply to this comment View reply
Processing

Here is the REAL test....
by Ted Miller April 25, 2007 5:17 AM PDT: First get four very ordinary people. Two women and two men. Get four computers. Two Macs and two PC's. Give a Mac to one of the women and man. Give a PC to one women and a man. Have them all connected to the internet (Broadband) at the same time, letting them surf to their hearts content and letting them go anywhere from knitting to fishing and from gambling to porn. Let them continue at this for lets say twelve hours. After twelve hours check the systems for virus, adware, spyware, malware and outright hijacks. Only then we will see which system holds its mettle in the most ordinary conditions. To be fair add another man and women and give them a PC loaded with the most popular Linux operating system (Ubuntu as of this date) and have them do the same. Which operating system do you think will hold up with the test of time?; Reply to this comment