NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0161 Mac Attack - More information:
Researchers have confirmed that a Quicktime bug was the Achilles heel that felled a MacBook Pro last week in the Pwn-2-Own contest at the CanSecWest security conference. Security firm Matasano's Dino Dai Zovi, who wrote the exploit, said on 20APR that a flaw in Apple's Safari browser was what brought the machine down. But, after more analysis, ZDI - the research unit at TippingPoint, which put up $10,000 as a reward in the contest - has found that it was actually a Java-based vulnerability in QuickTime that got the machine, owned by Dai Zovi and his online accomplice, Shaun Mcaulay. Dai Zovi, who is also still researching the flaw, said on 24APR that the vulnerability affects not only Safari but also Firefox on Mac OS/X. Firefox on Windows may also be at risk, he said. If it does turn out that Windows running Firefox is vulnerable, it would make this a "much more serious flaw," he said. "QuickTiume is often installed by itself on computers, but more often on iTunes," he said.
Terri Forslof, manager of security response at Tipping Point, confirmed that any Java-enabled browser is potentially vulnerable, but that Internet Explorer is not, given its sandbox feature, which "does handle the vulnerability appropriately."
"The method of attack is the same as what Microsoft calls 'click and you're owned.' You get an email, visit a malicious web site, and boom, you're owned. Where there's still that one-step user interaction, it's still a serious vulnerability," Forslof said. Because Quicktime is installed on the Mac operating system by default, turned on and ready to go, it is comparable to a Windows media player bug, she said. "Even though it's not the main system you compromise, you still own the whole system when you do compromise it. It's every bit as serious."
(http://securitywatch.eweek.com 24APR07)
Last Modified: Sunday, 06-May-2007 08:57:00 EDT