QuickTime the culprit in Mac hack; Windows may also be at risk

Computerworld - The vulnerability that put $10,000 into the pocket of a New Yorker last Friday during a Mac hacking contest is in Apple Inc.'s QuickTime media player, researchers said today.

The contest, held at the CanSecWest security conference in Vancouver last week, pitted a pair of MacBook Pro notebooks, each with all currently-available security patches installed, against all comers. The battle was won by Dino Dai Zovi, who forwarded a URL containing an exploit to a friend attending the conference, Shane Macaulay. Dai Zovi took the $10,000 prize offered by TippingPoint's Zero Day Initiative, while Macaulay got a MacBook Pro.

On Friday, Sean Comeau, one of the CanSecWest organizers, said the bug was in Safari, the Apple browser bundled with Mac OS X. But Monday, researchers at Matasano Security LLC, a New York-based consultancy, said the flaw is actually in QuickTime. Dai Zovi is a former Matasano researcher.

"Dino's finding targets Java handling in QuickTime," said Matasano researcher Thomas Ptacek on the group's blog. "Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple's vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability."

Ptacek confirmed that both Safari and Mozilla Corp.'s Firefox can be exploited through the new QuickTime bug. Matasano also said it assumes that Firefox is vulnerable on Windows PCs if QuickTime's plug-in is installed. If, as the group said, any Java-enabled browser can be exploited if QuickTime is installed, that would also place Microsoft's Internet Explorer users in the at-risk group.

"Disabling Java stops the vulnerability," Ptacek said.

As with many other exploits, this requires that the user be tricked into visiting a Web site containing the malicious Java code. Dai Zovi took home the prize money the second day of the contest, when previously-determined rules went into effect that counted an exploit that required some action on the part of the user, such as clicking on a link in an e-mail.

QuickTime is no stranger to vulnerabilities. It was last patched mid-March. Before that, it was updated in January to fix a flaw disclosed by the Month of Apple Bugs project.

Apple did not respond to a request for comment.