We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,787 News Articles

Quicktime enables Apple Mac hack

Internet Explorer, Safari, Firefox users at risk

The Apple Mac vulnerability that put $10,000 into the pocket of a hacker during a Mac hacking contest is in Apple's QuickTime media player, according to researchers.

The contest, held at the CanSecWest security conference in Vancouver, pitted a pair of MacBook Pro notebooks, each with all currently-available security patches installed, against all comers. The battle was won by Dino Di Zovie, who forwarded a URL containing an exploit to a friend attending the conference, Shane Macaulay. Di Zovie took the $10,000 prize offered by TippingPoint's Zero Day Initiative, while Macaulay got a MacBook Pro.

On Friday, Sean Comeau, one of the CanSecWest organisers, said the bug was in Safari, the Apple browser bundled with Mac OS X. But researchers at Matasano Security, say the flaw is actually in QuickTime. Di Zovie is a former Matasano researcher.

"Dino's finding targets Java handling in QuickTime," said Matasano researcher Thomas Ptacek on Matasano's blog. "Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple's vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability."

Ptacek confirmed that both Safari and Mozilla's Firefox can be exploited through the new QuickTime bug. Matasano also said it assumes that Firefox is vulnerable on Windows PCs if QuickTime's plug-in is installed. If, as the group said, any Java-enabled browser can be exploited if QuickTime is installed, that would also place Microsoft's Internet Explorer users in the at-risk group.

"Disabling Java stops the vulnerability," Ptacek said.

As with many other exploits, this requires that the user be tricked into visiting a website containing the malicious Java code. Di Zovie took home the prize money the second day of the contest, when previously-determined rules went into effect that counted an exploit that required some action on the part of the user, such as clicking on a link in an email.

QuickTime is no stranger to vulnerabilities. It was last patched mid-March. Before that, it was updated in January to fix a flaw disclosed by the Month of Apple Bugs project.


IDG UK Sites

Windows 9 release date, price, features: 30 September marked for unveiling

IDG UK Sites

Gateway to your kingdom: why everybody should check and update their broadband router

IDG UK Sites

Netflix whips up 3D VR viewing room for Oculus Rift during company hack day

IDG UK Sites

Best Mac? Complete Apple Mac buyers guide for 2014