We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Quicktime enables Apple Mac hack

Internet Explorer, Safari, Firefox users at risk

The Apple Mac vulnerability that put $10,000 into the pocket of a hacker during a Mac hacking contest is in Apple's QuickTime media player, according to researchers.

The contest, held at the CanSecWest security conference in Vancouver, pitted a pair of MacBook Pro notebooks, each with all currently-available security patches installed, against all comers. The battle was won by Dino Di Zovie, who forwarded a URL containing an exploit to a friend attending the conference, Shane Macaulay. Di Zovie took the $10,000 prize offered by TippingPoint's Zero Day Initiative, while Macaulay got a MacBook Pro.

On Friday, Sean Comeau, one of the CanSecWest organisers, said the bug was in Safari, the Apple browser bundled with Mac OS X. But researchers at Matasano Security, say the flaw is actually in QuickTime. Di Zovie is a former Matasano researcher.

"Dino's finding targets Java handling in QuickTime," said Matasano researcher Thomas Ptacek on Matasano's blog. "Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple's vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability."

Ptacek confirmed that both Safari and Mozilla's Firefox can be exploited through the new QuickTime bug. Matasano also said it assumes that Firefox is vulnerable on Windows PCs if QuickTime's plug-in is installed. If, as the group said, any Java-enabled browser can be exploited if QuickTime is installed, that would also place Microsoft's Internet Explorer users in the at-risk group.

"Disabling Java stops the vulnerability," Ptacek said.

As with many other exploits, this requires that the user be tricked into visiting a website containing the malicious Java code. Di Zovie took home the prize money the second day of the contest, when previously-determined rules went into effect that counted an exploit that required some action on the part of the user, such as clicking on a link in an email.

QuickTime is no stranger to vulnerabilities. It was last patched mid-March. Before that, it was updated in January to fix a flaw disclosed by the Month of Apple Bugs project.


IDG UK Sites

Android M Developer Preview announced at Google I/O: Android M UK release date and new features. Wh?......

IDG UK Sites

Why I think the Apple Watch sucks and you'd be mad to buy it

IDG UK Sites

Ben & Holly's Game of Thrones titles spoof is delightfully silly

IDG UK Sites

Mac OS X 10.11 release date rumours: all the new features expected in Yosemite successor