Hack contest's QuickTime bug puts all browsers at risk

Exploit snatched at security conference from unprotected WiFi network, may be in the wild

The QuickTime vulnerability that first surfaced last Friday in a Mac hack challenge is "very serious" and can be exploited through any Java-enabled browser, including Internet Explorer 7 running on both Windows XP and Vista, the company that laid out the contest's US$10,000 prize said Wednesday.

Unconfirmed reports also claimed that someone may have captured the exploit on Friday as the MacBook Pro was attacked. If that turns out to be the case, a widespread attack would be more likely.

Although the bug was first ascribed to Apple's Safari Web browser, by Monday researchers at 3com TippingPoint -- which put up the prize money as part of its Zero Day Initiative bug bounty program -- had confirmed the vulnerability was in QuickTime, Apple's media player.

Because the flaw is in QuickTime's code, and because QuickTime plug-ins are commonly installed on both Macs and PCs, and in not only Safari, but also Mozilla's Firefox and Microsoft's Internet Explorer (IE), the attack surface is "huge," said Terri Forslof, TippingPoint's manager of security research.

"This is every bit as dangerous as any vulnerability we see out there," said Forslof, who confirmed Wednesday that using IE 6 and IE 7 on Windows XP SP2, as well as IE 7 on Vista, could lead to an exploit. "If Microsoft was rating this, it would [rate it as] a critical vulnerability. One click and you're owned."

"The vulnerability is in QuickTime, but any Java-enabled browser can be an exploit vector. No exclusions," said Forslof. TippingPoint confirmed this morning that IE 7 running on Vista -- the browser that Microsoft touts as its most secure -- could be a route to a PC hijack.

A successful exploit would require that the user be tricked into visiting a Web site containing malicious Java code. That kind of attack is commonplace, with links typically delivered via spammed e-mail. Until Apple patches QuickTime, the only sure defense, said Forslof, is to disable Java in the browser.

Late Wednesday morning, researchers at Matasano Security, the New York-based consultancy where the MacBook contest winner, Dino Dai Zovi, once worked, said it had unconfirmed reports from credible sources that the exploit had been snatched out of the air at the CanSecWest conference.

The MacBooks left open to attack during the CanSecWest challenge were connected to an unprotected wireless network, said Matasano's Thomas Ptacek in a blog this morning. "Raw packet captures of the successful exploit have been taken by parties unknown," he said. "There's a difference between the exploit being captured and the exploit being successfully hosted by attackers in the wild....[but] even so, this is a particularly virulent problem."

Adding fodder to those reports, a writer on the Information Security Sell Out blog claimed to have not only captured all data packets transmitted during the hacking contest, but had reverse-engineered the vulnerability.

Ptacek of Matasano, however, was dubious. "Their claims aren't corroborated by any of the public record about the vulnerability, which, contrary to their report, doesn't appear to involve 'the way QuickTime handles Javascript'."

Forslof would neither confirm nor deny the reports of the exploit -- for which it paid Di Zovie the US$10,000 -- escaping into the wild. "We're keeping the details of the vulnerability close to the chest," she said, "but QuickTime is pretty ubiquitous. With so much press around the actual challenge and so many people interested in it, an exploit is just a matter of time."

Although Forslof said that her team had reported the QuickTime vulnerability to Apple on Monday, the computer maker has refused to comment on the specifics of the bug. Company spokesman Anuj Nayar would only repeat the standard Apple statement issued when security questions are asked: "Apple takes security very seriously and has an excellent track record of addressing potential vulnerabilities. We always welcome feedback on how to improve security."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?