CanSecWest MacBook Pro challenge a Java-based flaw in QuickTime; may also affect Windows

“The attack successfully used in last week’s CanSecWest competition exploits a Java-based flaw in QuickTime and affects all browsers on systems with the multimedia software installed, possibly including Windows, Dino Dai Zovi, who discovered the flaw, told SecurityFocus on Monday,” SecurityFocus reports.

SecurityFocus reports, “‘Firefox on Windows is considered at risk at this time,’ said Dai Zovi, who had been cleared by TippingPoint’s Zero Day Initiative to discuss certain aspects of the attack. ‘Safari and Firefox are considered vulnerable on Mac OS.'”

Full article here.

Gregg Keizer reports for Computerworld, “‘Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple’s vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability,’ said Thomas Ptacek of Matasano on the group’s blog.”

Keizer reports, “Ptacek confirmed that both Safari and Mozilla Corp.’s Firefox can be exploited through the new QuickTime bug; Matasano also said it assumes that Firefox is vulnerable on Windows PCs if QuickTime’s plug-in is installed. If, as the group said, any Java-enabled browser can be exploited if QuickTime is installed, that would also place Microsoft’s Internet Explorer users in the at-risk group.”

Full article here.

[Thanks to MacDailyNews Reader “Qka” for the heads up.]

Related articles:
CanSecWest MacBook Pro challenge exploits Java-enabled browsers, including Firefox – April 23, 2007
InfoWorld publishes false report on Apple Mac security – April 21, 2007
CanSecWest’s $10,000 ‘Hack a Mac’ challenge relaxes barriers, finds exploitable hole in Safari – April 20, 2007
Apple MacBooks hold strong, remain unhacked after first day of $10,000 ‘Hack a Mac’ challenge – April 20, 2007
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006

25 Comments

  1. I hate this crap. It all seems so bogus.

    It is incredibly unlikely that any of this could take hold in the real world.

    As the late Kurt Vonnegut said, these guys should “take a flying f*ck at a rolling donut”

  2. This is all sponsored by…guess who…Microsoft.

    It is indeed all fabricated false and pointless.

    Perversely, it will make OSX yet more secure, ultimately putting Windows further out on a limb.

  3. Apple will fix the bug in QuickTime. Mac OS X is fundamentally no less secure because there’s a bug in QuickTime that affects Java-enabled browsers when the user happens to go to a malicious web site. In other words, Apple will fix the problem before anyone in the “real world” is affected.

    Windows, on the other hand, is fundamentally flawed (by design) when it comes to security. The only way to fix Windows is to start over, and ditch all the legacy support code.

    And what’s the big deal here…? There have been other application-related security bugs in QuickTime and Safari before. The difference is that Microsoft is obviously ticked off about the negative reception of Vista. Instead of making it’s products better, it sponsors events and media that are designed to make the competition look bad.

    The bottom line is that there are still no viruses or other malware affecting Mac OS X in the real world. That’s what matters to me and consumers in general are starting to see the truth as well.

  4. I am what they call a macfanboy etc etc…freak if you wish. But I think this is something that should be fixed, if it’s true, because Quicktime is a very essential part of Apple’s succes: it’s core of iTunes and the iPod for that matter. It’s a strict part of the AppleTV and it will be a one of the major components of Leopard. Any bad PR is not good. So guys at Apple….take away the doubt…fix it.

    MAcB

  5. This indeed shows how insecure OSX is. Apple ships software that is knows to be insecure and does nothing about it. The big software that Apple tries to ship is the craplet known as Quicktime. Rather then make it simple to de-install this craplet that does little or nothing, it is a difficult task to remove this technology from a computer. Apple computer should be sued via class action lawsuit for putting users at risk.

    Microsoft takes security very seriously and builds in several layers of security to alert users to problems. OSX has nothing to alert the user to anything except what color to make the current background. It is really sad that people are stupid enough to be duped into handing Apple giant piles of cash for their swiss cheese pseudo operating system.

    There is hope that people are seeing the light and are moving to Vista in large numbers. Apple needs to drop the macintosh as a product and do what it does best for now – selling mp3 players that can play stolen music.

  6. Mo said:”It is incredibly unlikely that any of this could take hold in the real world.”

    How so Mo? How is it that you can know how likely it is. Are you privy to information that the rest of us are not?

    Maybe it is finally time for all the Mac fanboys to start eating a bit of crow! Just maybe your beloved Mac is not quite so good as you all think it is. Just maybe you all ought to shut up… it’s over baby!

  7. No viruses yet. No malware yet.

    Number of current documented viruses for OS X in the wild: 0.

    Number of obscure, experimental flaws uncovered in a controlled environment where hackers were challenged to compromise OS X for money, after several difficult hours: well, you get the idea.

    I’ll let Windows losers (uh . . . users) eat crow for now, thanks. Maybe . . . it’s not time for anything as far as Apple is concerned, except more products that truly set the bar for the industry. Maybe we’ll see Vista go the way every other Windows OS has gone: a security nightmare.

    As someone said earlier, the only way to fix Windows is to start over. Windows has become a victim of its own legacy code.

  8. Maybe it is finally time for all the Mac fanboys to start eating a bit of crow! Just maybe your beloved Mac is not quite so good as you all think it is. Just maybe you all ought to shut up… it’s over baby!

    Hey, I’ve got a wacky idea! Why don’t I wait until a Mac user is negatively affected IN THE WILD before I have my first bite of crow.

    You remind me of a soccer fan whose team is losing 8-0 who says “Yeah, well, your team missed a few passes!”

  9. It took seven years to find this vulnerability and the co-operation of CanSecWest by its represtentatives to click on a “website” specially constructed to trigger it.

    This “attack” is no more real than the other two so-called proof-of-concept worms requiring computer labs to make them work. The score is Windows 165,000, Mac 0. And if you think that makes you a winner, it’s like golf: The low score wins.

    So go hug your Windows box. Ballmer, as always, is eyeing you, just another rolling doughnut.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.