We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Quicktime enables Apple Mac hack

Internet Explorer, Safari, Firefox users at risk

The Apple Mac vulnerability that put $10,000 into the pocket of a hacker during a Mac hacking contest is in Apple's QuickTime media player, according to researchers.

The contest, held at the CanSecWest security conference in Vancouver, pitted a pair of MacBook Pro notebooks, each with all currently-available security patches installed, against all comers. The battle was won by Dino Di Zovie, who forwarded a URL containing an exploit to a friend attending the conference, Shane Macaulay. Di Zovie took the $10,000 prize offered by TippingPoint's Zero Day Initiative, while Macaulay got a MacBook Pro.

On Friday, Sean Comeau, one of the CanSecWest organisers, said the bug was in Safari, the Apple browser bundled with Mac OS X. But researchers at Matasano Security, say the flaw is actually in QuickTime. Di Zovie is a former Matasano researcher.

"Dino's finding targets Java handling in QuickTime," said Matasano researcher Thomas Ptacek on Matasano's blog. "Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple's vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability."

Ptacek confirmed that both Safari and Mozilla's Firefox can be exploited through the new QuickTime bug. Matasano also said it assumes that Firefox is vulnerable on Windows PCs if QuickTime's plug-in is installed. If, as the group said, any Java-enabled browser can be exploited if QuickTime is installed, that would also place Microsoft's Internet Explorer users in the at-risk group.

"Disabling Java stops the vulnerability," Ptacek said.

As with many other exploits, this requires that the user be tricked into visiting a website containing the malicious Java code. Di Zovie took home the prize money the second day of the contest, when previously-determined rules went into effect that counted an exploit that required some action on the part of the user, such as clicking on a link in an email.

QuickTime is no stranger to vulnerabilities. It was last patched mid-March. Before that, it was updated in January to fix a flaw disclosed by the Month of Apple Bugs project.


IDG UK Sites

Sony Xperia Z3+ release date, price and specs: The Xperia Z4 for the UK

IDG UK Sites

Why Intel’s vision of the future is a future I want to live in

IDG UK Sites

10 amazing, creative uses of tech – and the brands behind them

IDG UK Sites

Jony Ive 'semi-retired' into new role: kicked upstairs as Chief Design Officer