The Apple Mac vulnerability that put $10,000 into the pocket of a hacker during a Mac hacking contest is in Apple's QuickTime media player, according to researchers.
The contest, held at the CanSecWest security conference in Vancouver, pitted a pair of MacBook Pro notebooks, each with all currently-available security patches installed, against all comers. The battle was won by Dino Di Zovie, who forwarded a URL containing an exploit to a friend attending the conference, Shane Macaulay. Di Zovie took the $10,000 prize offered by TippingPoint's Zero Day Initiative, while Macaulay got a MacBook Pro.
On Friday, Sean Comeau, one of the CanSecWest organisers, said the bug was in Safari, the Apple browser bundled with Mac OS X. But researchers at Matasano Security, say the flaw is actually in QuickTime. Di Zovie is a former Matasano researcher.
"Dino's finding targets Java handling in QuickTime," said Matasano researcher Thomas Ptacek on Matasano's blog. "Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple's vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability."
Ptacek confirmed that both Safari and Mozilla's Firefox can be exploited through the new QuickTime bug. Matasano also said it assumes that Firefox is vulnerable on Windows PCs if QuickTime's plug-in is installed. If, as the group said, any Java-enabled browser can be exploited if QuickTime is installed, that would also place Microsoft's Internet Explorer users in the at-risk group.
"Disabling Java stops the vulnerability," Ptacek said.
As with many other exploits, this requires that the user be tricked into visiting a website containing the malicious Java code. Di Zovie took home the prize money the second day of the contest, when previously-determined rules went into effect that counted an exploit that required some action on the part of the user, such as clicking on a link in an email.
QuickTime is no stranger to vulnerabilities. It was last patched mid-March. Before that, it was updated in January to fix a flaw disclosed by the Month of Apple Bugs project.