April 24, 2007 11:39 AM PDT

Mac hacked through QuickTime flaw

The security hole used to breach a MacBook in a hack-a-Mac competition last week lies in Apple's QuickTime media player, the flaw finder said Tuesday.

The vulnerability is related to how QuickTime handles Java, said security researcher Dino Dai Zovi. An attacker can exploit the bug through Safari or Firefox, he said. Initial reports were that the flaw was in Safari, Apple's Web browser.

"It is a vulnerability within QuickTime. Safari and Firefox on Mac OS X are vulnerable," Dai Zovi said. QuickTime is also widely used on Windows machines, so Windows users may also be at risk, he said. "At this time, Firefox on Windows is considered at risk," Dai Zovi said.

Security monitoring company Secunia deems the flaw "highly critical," one notch below its most serious rating. "This can be exploited to execute arbitrary code when a user visits a malicious Web site," Secunia said. Apple's most recent QuickTime security update was in March.

Shane Macaulay, a software engineer and a friend of Dai Zovi's, hacked into a MacBook using the QuickTime security hole on Friday. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference in Vancouver, British Columbia.

The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack more familiar to Windows users.

Apple has declined to comment on the MacBook hack specifically, but spokeswoman Lynn Fox last week provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users," she said.

Further details on the flaw are being kept confidential until Apple patches it. Dai Zovi has submitted the vulnerability to TippingPoint's Zero Day Initiative bug bounty program. TippingPoint, which sells intrusion prevention systems, had offered a $10,000 prize for a Mac zero-day vulnerability to make the CanSecWest contest more appealing to hackers.

"TippingPoint has offered to purchase the vulnerability and I have agreed, payment is pending," Dai Zovi said.

Disabling Java in a browser shields a computer against attacks that exploit the flaw, Dai Zovi said. Macs are vulnerable by default because Apple ships QuickTime with the operating system. Windows users are only vulnerable if QuickTime is installed.

See more CNET content tagged:
TippingPoint Technologies, Apple QuickTime, flaw, vulnerability, Apple Computer

14 comments

Join the conversation!
Add your comment
YAQTF
Yet Another QuickTime Flaw.

I think this is like the 100th one this year now?
Posted by mjm01010101 (126 comments )
Reply Link Flag
Actually it's not that many flaws...
Actually it's not that many flaws for a piece of software of that complexity. Of course there have been several Quicktime flaws found since the last MS Media Player flaw. Why is that? Simple, while both applications were first developed before the security problems of overflows etc were recognized as a major security risk, MS has been under a lot more pressure to clean up their act than Apple has, consequently Apple hasn't done as much as they could have and now Quicktime is definitely in the cross-hairs of the hacker community.

It's definitely time that Apple take a long hard look at their Quicktime code and bring it up to date.

I'm not condemning Apple yet but if they let a few more of these happen it'll soon be time to start recommending that Quicktime be removed from all systems (not something I really want to see).
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
hmmm
this whole "mac was hacked" saga has been mighty interesting
but i just have some general things to say about it. First, i'd like
to reiterate that in order for people to even get to this hack...the
rules of the competition had to be RELAXED in order for people
to do anything. and then at that, the flaw turned out to be NOT
w/ OS X, NOT w/ Safari but w/ QuickTime but NOT just
quicktime but w/ how it interacts w/ Java. so if anybody is trying
to relate this to a typical IE or Windows exploit-which have to
deal with actual flaws w/ microsoft's WINDOWS OS and such,
your moronic and don't really understand anything. oh and btw..
the second hack challenge of gaining root privelges was never
achieved. and also for all those "mac is no safer than windows"
individuals, by making this a headline/news you've proved the
rarity of it and just furthur validated the point that Macs are
inherently safer than PCs for numerous factors.
so.....shazaaaaaaaaaam!
Posted by bobmarksdale (29 comments )
Link Flag
Turns out not to be a significant flaw.
Check this out: <a class="jive-link-external" href="http://blogs.zdnet.com/security/?p=176" target="_newWindow">http://blogs.zdnet.com/security/?p=176</a>

The hack needed help from a user at the Mac. From the above
article:

"Deploying the exploit required someone on the ground at the
conference. The exploit launched a shell so we needed someone
to connect to the shell and follow the instructions to claim
victory. Shane ran the actual attack and he also helped to test
the exploit ahead of time. "

Not exactly what I'd call a real world threat.
Posted by Macsaresafer (802 comments )
Link Flag
The Empire Strikes Back....
(Pipe in "The Imperial March" from "Star Wars: The Empire Strikes Back") It's a dark day for the republic. When the discovered flaws are within the apps themselves, and not within the operating systems, then it is a very dark day indeed for personal computing, and their end users. The flaws are now in the inter-operable apps themselves! That means that not only the operating system platforms that we use are now vulnerable, but the other apps that they use within them are now vulnerable, too. A sad day, indeed. Now, how soon will Mozilla, Sun, Apple, &#38; Microsoft will issue patches and/or work-arounds? I think patches will be in this order, but I hope that some anarchistic, anti-establishmentarianist jerk won't exploit this hole before the patch is created and distributed. In the meantime...we wait....
Posted by Jon N. (182 comments )
Reply Link Flag
Please enter the subject!
I don't wait, I just uninstall quicktime. It's not the first or last time this bloated app has had vulnerabilities.

WHy do media players have the ability to script? There is no good reason.
Posted by mjm01010101 (126 comments )
Link Flag
Here is the REAL test....
First get four very ordinary people. Two women and two men. Get four computers. Two Macs and two PC's. Give a Mac to one of the women and man. Give a PC to one women and a man. Have them all connected to the internet (Broadband) at the same time, letting them surf to their hearts content and letting them go anywhere from knitting to fishing and from gambling to porn. Let them continue at this for lets say twelve hours. After twelve hours check the systems for virus, adware, spyware, malware and outright hijacks. Only then we will see which system holds its mettle in the most ordinary conditions. To be fair add another man and women and give them a PC loaded with the most popular Linux operating system (Ubuntu as of this date) and have them do the same. Which operating system do you think will hold up with the test of time?
Posted by Ted Miller (305 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.