Apple Fixes QuickTime Hole
Apple has stitched up the hole in QuickTime that allowed hackers at the CanSecWest security show to take over a MacBook Pro in a Pwn-2-Own contest on April 20. The zero-day vulnerability was discovered by Dino Dai Zovi, a principal at security firm Matasano Security, who then passed it on to his accomplice on-site at the show, developer Shane Macaulay. The exploit netted Macaulay a 17-inch MacBook, and Dai Zovi pocketed $10,000 in prize money. The hole is a serious one: Terri Forslof, manager of security response at TippingPoint, compared it to the Windows animated cursor vulnerability in terms of impact and the possibility of system hijacking to which both flaws can lead. "The method of attack is the same as what Microsoft calls 'Click and you're owned.' You get an e-mail, visit a malicious Web site and boom, you're owned. Where there's still that one-step user interaction, it's still a serious vulnerability. Anytime you illegally break into a machine, it's a hack," Forslof told me last week. In issuing the update, QuickTime 7.1.6, Apple described it as an implementation issue in QuickTime for Java that may allow reading or writing out of the bounds of the allocated heap. The exploit works by enticing a user to visit a site containing a maliciously crafted Java applet, which the attacker can trigger and use to cause arbitrary code execution. The update, available for Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2 and Windows 2000 SP4, fixes the hole by doing additional bounds checking when creating QTPointerRef objects, Apple said. The hole didn't lead to exploits in the wild, although much commotion ensued after an apparent troll claimed to have wirelessly intercepted the exploit at CanSecWest. Although the claim was fairly ludicrous—the Pwn-2-Own contest was being held on a closed, wired network, and the wireless network at the show was being monitored and would have picked up on an intercept—the security and Apple user community momentarily freaked last week. |
Comments (1)
Apple was pretty quick to fix that problem. The contest was set up to discredit Apple, but Apple responded very quickly with the update. I suspect the fix, a 48 mb fix was already in the works. I also think the fix addresses other issues as well. I think the contest to make Apple look bad failed and actually made Apple look good because of the quickness of their patch. Apple's been pretty lucky lately. It's like they are made of teflon and the FUD isn't sticking.
As a Mac owner and long time user, my biggest concern about Apple is that they postponed Leopard to put resources into the iPhone which is really no big deal as long as Leopard comes out really clean when they release it. The iPhone is an extremely high profile project. If it becomes successful, will Mac OSX, Apple's greatest achievement, and Apple's other software projects become lower priority compared to the appliance market. Apple makes a mint on iPods. Ad phones to the mix, will Apple lose focus on their growing success in the computer market. Computer sales grew at a higher rate than iPod sales this last year. I just don't want Apple to turn into Motorola.
Posted by StuartEvins | May 2, 2007 5:22 PM