“Anonymous sources at 3Com confirm [the] QuickTime vulnerability found in the CanSecWest “Hack a Mac” challenge] is exploitable in IE7 and IE6 on Windows XP,” Matsano Chargen reports.
Full article here.
Robert McMillan reports for Digit, “The bug that helped security researcher Dino Dai Zovi claim a US$10,000 prize at last week’s CanSecWest security conference affects Windows systems too. That’s because the flaw that Dai Zovi exploited actually lies in the way Apple’s QuickTime Media Player works with the Java programming language, according to Terri Forslof, manager of security response at 3Com’s TippingPoint division, which put up the $10,000 prize. QuickTime runs on both Windows and the Mac.”
“Dai Dovi said he has reported at least eight security vulnerabilities to Apple and has had ‘nothing but positive interactions’ with the company,” McMillan reports.
Full article here.
Shit rolls downhill.
-c
This is not fair! Windows get all the vulnerabilities, even the Apple ones!
What about Vista? Allow?
I guess the Windows fanboyz celebrated just a little too soon eh?
Whilst it’s not good that a piece of apple software can lead to a problem like this. I suppose it’s better that it’s not the OS itself that’s the problem. At least OS X’s record is still good.
Sounds like it more of a IE problem – thus a M$$$$ issue than an Apple/Mac issue!
But then again, I guess if you can’t find a way in fairly – there’s always the M$$$ product line to fall back on!
Get a clue people this is a Java issue not an OS issue.
Better read the entire article including the responses boys and girls. There seems to be a lot of confusion there about what really is and what really isn’t with regard to IE6 and IE7.
It’s a Java vulnerability that’s exploitable through a flaw in QuickTime. Apple’s got to close the door, not anyone else.
When WILL the Window-tards ever learn? No Windows is fresh air.
Slow news day.
So… Lemme get this straight.
If if turn Java in Safari off I am no longer vulnerable to this particular exploit?
MW: show
Show me a real exploit of the Mac OS.
Wasnt there actually two Macs set up to be hacked at that WinDoze conference ??
Think I read somewhere, that only one got hacked..
If true, then why didnt the other one get hacked ?
Whatever happened to the last Mac that required root access? I assume nothing. So, they failed at remote attacks and at gaining root access. The exploit that was discovered is serious and needs fixing, but I repeat the question: Does anyone really think that 2 Windoze boxes would have faired any better?
<crickets>
Well, some people here sure sound like MS apologists. The thing is, you shouldn’t have to turn off Java in Safari to remain invulnerable. We should expect better. I’m sure Steve Jobs wouldn’t want a computer that once he gets it, has to turn things off to make it run correctly.
@Smugg
yes, just turn off Java is Safari preferences. (Leave Javascript on, it has little to do with Java anyway)
If true, then why didnt the other one get hacked ?
Very true. The rules were that it had to do a totally new exploit so one could not use what Dino found on the QT interaction with Java. AND, it was required to be able to get root access. No one succeeded, no one got the MacBook Pro and the cash prize.
@G-Spank
absolutely, it is a problem that will be fixed with Apple. Dino discloses his finding with Apple first.
Can Java be exploited by other means besides QuickTime? Say…Flash or some other plugin?
This reminds me of the AutoStart worm back in the late 90’s. There was all this hoopla and Windoze users sayin’ “Gotcha!” but all Mac users had to do was go into Quicktime and turn the option “off”. Problem solved. How does this hack constitute a signifigant problem to Mac OS or its users?
While it should be dealt with, it is by no means a serious threat.
deleted wrote: “ Leave Javascript on, it has little to do with Java anyway”
“Little to do,” as in “nothing at all.”