Hack challenge's QuickTime bug puts all browsers at risk
Exploit snatched at security conference from unprotected WiFi network, may be in the wild
April 25, 2007 12:00 PM ETComputerworld - The QuickTime vulnerability that first surfaced last Friday in a Mac hack challenge is "very serious" and can be exploited through any Java-enabled browser, including Internet Explorer 7 running on both Windows XP and Vista, the company that laid out the contest's $10,000 prize said today.
Unconfirmed reports also claimed that someone may have captured the exploit on Friday as the MacBook Pro was attacked. If that turns out to be the case, a widespread attack would be more likely.
Although the bug was first ascribed to Apple Inc.'s Safari Web browser, by Monday researchers at 3com TippingPoint -- which put up the prize money as part of its Zero Day Initiative bug bounty program -- had confirmed the vulnerability was in QuickTime, Apple's media player.
Because the flaw is in QuickTime's code, and because QuickTime plug-ins are commonly installed on both Macs and PCs, and in not only Safari, but also Mozilla Corp.'s Firefox and Microsoft Corp.'s Internet Explorer (IE), the attack surface is "huge," said Terri Forslof, TippingPoint's manager of security research.
"This is every bit as dangerous as any vulnerability we see out there," said Forslof, who confirmed today that using IE 6 and IE 7 on Windows XP SP2, as well as IE 7 on Vista, could lead to an exploit. "If Microsoft was rating this, it would [rate it as] a critical vulnerability. One click and you're owned."
"The vulnerability is in QuickTime, but any Java-enabled browser can be an exploit vector. No exclusions," said Forslof. TippingPoint confirmed this morning that IE 7 running on Vista -- the browser that Microsoft touts as its most secure -- could be a route to a PC hijack.
A successful exploit would require that the user be tricked into visiting a Web site containing malicious Java code. That kind of attack is commonplace, with links typically delivered via spammed e-mail. Until Apple patches QuickTime, the only sure defense, said Forslof, is to disable Java in the browser.
Late this morning, researchers at Matasano Security LLC, the New York-based consultancy where the MacBook contest winner, Dino Di Zovie, once worked, said it had unconfirmed reports from credible sources that the exploit had been snatched out of the air at the CanSecWest conference.
The MacBooks left open to attack during the CanSecWest challenge were connected to an unprotected wireless network, said Matasano's Thomas Ptacek in a blog this morning. "Raw packet captures of the successful exploit have been taken by parties unknown," he said. "There's a difference between the exploit being captured and the exploit being successfully hosted by attackers in the wild....[but even so, this is a particularly virulent problem."
Apple
Additional Resources



White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
