New security hole found in QuickTime and Mac OS-X
April 24, 2007
A new security flaw that was discovered last week and that breached a MacBook in a Hack-a-Mac competition was attributed to Apple's QuickTime media player. Internet security worker Dai Zovi said the security vulnerability is directly related to the method QuickTime handles Java scripts. Zovi added that a potential hacker can exploit the security hole through Safari or Firefox. Some of the reports that first came in had indicated that the flaw was initially located in Safari, Apple's Internet browser.
Furthermore, Zovi said "it's a vulnerability within QuickTime. Safari and Firefox on Mac OS-X are also vulnerable. QuickTime is also widely used on Windows machines, so Windows users may also be at risk. At this time, Firefox on Windows is potentially considered at risk."
Internet security monitoring company Secunia identified the hole as "highly critical," one notch below its most serious rating. "This can be exploited to execute arbitrary code when a user visits a malicious Web site," Secunia said.
Apple's most recent QuickTime security update was last month.
Shane Macaulay, a software engineer and friend of Dai Zovi, hacked into a MacBook using the QuickTime security hole on April 20. The computer was one of two offered as a prize in the "PWN to Own - Hack-a-Mac" contest at the CanSecWest conference in Vancouver, B.C.
The successful Internet attack on the second and final day of the contest required a conference organizer to surf to a malicious website using Safari on the MacBook, a type of attack more familiar to Windows users than to Mac OS-X clients.
For its part, Apple declined to comment on the MacBook security vulnerability. However, last Friday, spokeswoman Lynn Fox provided Apple's standard security comment by saying "Apple takes security very seriously and has a great track record (!) of addressing potential vulnerabilities before they can affect users."
Further details on Apple's security hole are being kept confidential until the company successfully patches it. Meanwhile, Dai Zovi has submitted the vulnerability to TippingPoint's Zero Day Initiative bug bounty program.
TippingPoint, which sells intrusion prevention systems, had offered a $10,000 cash prize for a Mac zero-day vulnerability to make the CanSecWest contest more appealing to potential hackers.
Dai Zovi added "TippingPoint has since offered to purchase the vulnerability and I have agreed. Payment is in fact pending."
Zovi also commented that "disabling Java in a browser further shields a computer against attacks that could exploit the security hole. By default, Mac computers are vulnerable since Apple automatically ships QuickTime with its OS X operating system.
However, Windows PC users are only vulnerable if QuickTime is installed on their computers.
Source: C-Net News
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing