“The attack successfully used in last week’s CanSecWest competition exploits a Java-based flaw in QuickTime and affects all browsers on systems with the multimedia software installed, possibly including Windows, Dino Dai Zovi, who discovered the flaw, told SecurityFocus on Monday,” SecurityFocus reports.
SecurityFocus reports, “‘Firefox on Windows is considered at risk at this time,’ said Dai Zovi, who had been cleared by TippingPoint’s Zero Day Initiative to discuss certain aspects of the attack. ‘Safari and Firefox are considered vulnerable on Mac OS.'”
Full article here.
Gregg Keizer reports for Computerworld, “‘Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple’s vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability,’ said Thomas Ptacek of Matasano on the group’s blog.”
Keizer reports, “Ptacek confirmed that both Safari and Mozilla Corp.’s Firefox can be exploited through the new QuickTime bug; Matasano also said it assumes that Firefox is vulnerable on Windows PCs if QuickTime’s plug-in is installed. If, as the group said, any Java-enabled browser can be exploited if QuickTime is installed, that would also place Microsoft’s Internet Explorer users in the at-risk group.”
Full article here.
[Thanks to MacDailyNews Reader “Qka” for the heads up.]
Related articles:
CanSecWest MacBook Pro challenge exploits Java-enabled browsers, including Firefox – April 23, 2007
InfoWorld publishes false report on Apple Mac security – April 21, 2007
CanSecWest’s $10,000 ‘Hack a Mac’ challenge relaxes barriers, finds exploitable hole in Safari – April 20, 2007
Apple MacBooks hold strong, remain unhacked after first day of $10,000 ‘Hack a Mac’ challenge – April 20, 2007
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006
Well a flaw in Quicktime is still a flaw…
It will be interesting to see how Apple respond to this.
Apple shows no favorites, makes all popular browsers and OS’s vulnerable.
I hate this crap. It all seems so bogus.
It is incredibly unlikely that any of this could take hold in the real world.
As the late Kurt Vonnegut said, these guys should “take a flying f*ck at a rolling donut”
This is all sponsored by…guess who…Microsoft.
It is indeed all fabricated false and pointless.
Perversely, it will make OSX yet more secure, ultimately putting Windows further out on a limb.
Flying f..ck at a rolling doughnut.
hey! that’s a keeper!
Apple will fix the bug in QuickTime. Mac OS X is fundamentally no less secure because there’s a bug in QuickTime that affects Java-enabled browsers when the user happens to go to a malicious web site. In other words, Apple will fix the problem before anyone in the “real world” is affected.
Windows, on the other hand, is fundamentally flawed (by design) when it comes to security. The only way to fix Windows is to start over, and ditch all the legacy support code.
And what’s the big deal here…? There have been other application-related security bugs in QuickTime and Safari before. The difference is that Microsoft is obviously ticked off about the negative reception of Vista. Instead of making it’s products better, it sponsors events and media that are designed to make the competition look bad.
The bottom line is that there are still no viruses or other malware affecting Mac OS X in the real world. That’s what matters to me and consumers in general are starting to see the truth as well.
“that would also place Microsoft’s Internet Explorer users in the at-risk group”
Yes, but that’s an inherently at-risk group anyhow.
I am what they call a macfanboy etc etc…freak if you wish. But I think this is something that should be fixed, if it’s true, because Quicktime is a very essential part of Apple’s succes: it’s core of iTunes and the iPod for that matter. It’s a strict part of the AppleTV and it will be a one of the major components of Leopard. Any bad PR is not good. So guys at Apple….take away the doubt…fix it.
MAcB
Flying f..ck at a rolling doughnut.
Ooer, sounds difficult. I’ll try and see how it goes.
Great for future conversations!
This indeed shows how insecure OSX is. Apple ships software that is knows to be insecure and does nothing about it. The big software that Apple tries to ship is the craplet known as Quicktime. Rather then make it simple to de-install this craplet that does little or nothing, it is a difficult task to remove this technology from a computer. Apple computer should be sued via class action lawsuit for putting users at risk.
Microsoft takes security very seriously and builds in several layers of security to alert users to problems. OSX has nothing to alert the user to anything except what color to make the current background. It is really sad that people are stupid enough to be duped into handing Apple giant piles of cash for their swiss cheese pseudo operating system.
There is hope that people are seeing the light and are moving to Vista in large numbers. Apple needs to drop the macintosh as a product and do what it does best for now – selling mp3 players that can play stolen music.
Mo said:”It is incredibly unlikely that any of this could take hold in the real world.”
How so Mo? How is it that you can know how likely it is. Are you privy to information that the rest of us are not?
Maybe it is finally time for all the Mac fanboys to start eating a bit of crow! Just maybe your beloved Mac is not quite so good as you all think it is. Just maybe you all ought to shut up… it’s over baby!
No viruses yet. No malware yet.
Number of current documented viruses for OS X in the wild: 0.
Number of obscure, experimental flaws uncovered in a controlled environment where hackers were challenged to compromise OS X for money, after several difficult hours: well, you get the idea.
I’ll let Windows losers (uh . . . users) eat crow for now, thanks. Maybe . . . it’s not time for anything as far as Apple is concerned, except more products that truly set the bar for the industry. Maybe we’ll see Vista go the way every other Windows OS has gone: a security nightmare.
As someone said earlier, the only way to fix Windows is to start over. Windows has become a victim of its own legacy code.
This indeed shows how insecure OSX is. Apple ships software that is knows to be insecure and does nothing about it.
Yawn. “The sky is falling! Here it comes! Any day now! Aaaaaaaany day now!”
Maybe it is finally time for all the Mac fanboys to start eating a bit of crow! Just maybe your beloved Mac is not quite so good as you all think it is. Just maybe you all ought to shut up… it’s over baby!
Hey, I’ve got a wacky idea! Why don’t I wait until a Mac user is negatively affected IN THE WILD before I have my first bite of crow.
You remind me of a soccer fan whose team is losing 8-0 who says “Yeah, well, your team missed a few passes!”
It took seven years to find this vulnerability and the co-operation of CanSecWest by its represtentatives to click on a “website” specially constructed to trigger it.
This “attack” is no more real than the other two so-called proof-of-concept worms requiring computer labs to make them work. The score is Windows 165,000, Mac 0. And if you think that makes you a winner, it’s like golf: The low score wins.
So go hug your Windows box. Ballmer, as always, is eyeing you, just another rolling doughnut.
So despite the recent “it’s Sun’s Java’s fault” language going around, it’s really Apple’s fault after all
Apple’s trojan horse “media format” on the PC platform to woo PC users over to the Mac has failed miserably.
First off Quicktime has had been rated one of the TOP TEN PC ANNOYANCES and many Windows IT folks refuse to install it.
Second Quicktime has had numerous security issues because Apple is not focused on security as much as it portrays.
I love Apple, but they better get their sh*t together fast.
95% of exploits are in applications and plug-ins.
“Apple’s vulnerable code ships by default on Mac OS X”
So are they speaking of a factory image of 10.4.6 that shipped on a macbook almost a year ago, or are they talking about with 10.4.9 and all other software updates?
It would be interesting to know how old is the QuickTime code responsible for that bug?
I mean, some (most?) QuickTime code is older than anything related to OS X. If that specific code found now guilty is from the Classic OS days, then this gives me more confidence that OS X is really a rock solid OS with flaws that come from the old OS code or the OSS that Apple incorporates from outside.
Apple will probably fix this in the coming weeks, no need to panic from that one and there’s probably several other bugs of that kind lying on that old QT code…
so do they get to keep the prize? since it is not really an OS X flaw? Wasn’t that what the test was supposed to look for? And why were no other OS’s part of the same test?
MacRealist, you kill me. Keep up the effective trolling. When the Apple bashers fire up, we have the heads up on how they’ll spin it.
Am I wrong or is this is what is happening? The problem is not QuickTime, per se, but fact that QuickTime can execute Java, Flash, until recently JavaScript and on and on. QuickTime can handle about 100 different file types. So really it is the flaws in these other things that the hackers are exploiting through QuickTime.
With great functionality come great responsibility.
The “rolling donut” guy was Kurt Vonnegut, a very important American author. One of his more famous books was “Slaughterhouse-Five” I believe is was required reading in schools at one time. Some schools boards banned it and indeed burned it. Which is quite ironic…if you read the book you will know why. This great author is largely lost on this generation. All his novels are gems. It’s a short book, go out and get a copy…make your kids read it.
Kurt Vonnegut died this month…So it goes…
mactivist:
The machine in question had the security update that Apple had released jsut the day before. So yes, it was running the absolutely latest system software from Apple.
“many Windows IT folks refuse to install it.”
Except, of course, in companies like mine where the CEO has an iPod and wants to use it on his work computer…what gets imaged on his, gets imaged to us all
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
“Kurt Vonnegut died this month…So it goes…”
Along with him died that last delusions that Mac OS X is secure.
Reality
Along with him died that last delusions that Mac OS X is secure.
Keep your laughable ignorance to yourself.
Mac OS X is secure. It has always been secure. It is far more secure than Windows, and has always been more secure than Windows. An exploit that requires specific user action and foreknowledge of the attempt to hack hardly makes Mac OS X magically insecure and open to all sorts of attacks.