QuickTime, not Safari, to blame for MacBook vuln

QuickTime, not Safari, to blame for MacBook vuln
QuickTime, not Safari, to blame for MacBook vuln 

By Dan Goodin in San Francisco 
25th April 2007

Updated -- The zero-day vulnerability that allowed a hacker to 
commandeer a brand new MacBook Pro late last week resides in a flaw in 
Apple's QuickTime media player, the exploit's author says. The 
revelation corrects descriptions given last Friday that the exploit 
targeted Safari.

Dino Dai Zovi set the record straight in a blog posting yesterday. It 
adds that Mac users browsing with Firefox are also vulnerable if 
QuickTime is installed and that QuickTime may put Java-enabled browsers 
on Windows machines at risk as well. Several hours after this story was 
first published, a new entry appeared that said unnamed sources at 3com 
have determined the QuickTime flaw is also exploitable on Internet 
Explorer versions 6 and 7.

Secunia has rated the QuickTime flaw highly critical, its second highest 
rating. "This can be exploited to execute arbitrary code when a user 
visits a malicious web site," the site warned. It recommends users 
disable Java as a work around until Apple releases a patch.

On Friday, Shane Macaulay, a friend of Dai Zovi's who participated in a 
"pwn-2-own" contest at the CanSecWest conference in Vancouver, described 
the flaw as residing in Safari. Dai Zovi, who wrote the exploit but 
didn't actually attend the conference, said on Tuesday that the 
vulnerability in fact lies in the way QuickTime handles Java. The 
exploit required a machine visit a booby-trapped website in order to 
work. Dai Zovi spent about nine hours writing the exploit, which allows 
a hacker to remotely gain full user rights to the targeted machine.

Under the contest rules, a successful exploit entitled the author to go 
home with the hacked machine. It also nets him a $10,000 bounty from 
security provider Tipping Point pending confirmation of the finding.

Dai Zovi on Tuesday declined to discuss the QuickTime in detail other 
than to say it allows a client-side Java error to execute arbitrary code 
when a Java-enabled browser visits a malicious website.

Dai Zovi's handiwork is only the latest discovery of a QuickTime 
vulnerability. Last month, Apple issued an update that plugged eight 
holes in the popular media playback software.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods