WatchGuard Wire
Improve Your Security IQ
Security Contest Victory Morphs Into Apple Quicktime Zero-day
Last week,
Shane Macaulay won a free MacBook at a security contest in Vancouver, B.C., by breaking into it. This week, the hack he used is the latest Apple Quicktime Zero-day. The buzz now is all about the details that are beginning to emerge regarding the vulnerability. Although Apple won't confirm anything, apparently there is a vulnerability in how Quicktime handles Java. By browsing to a malicious web site with an Opera, Safari, or Firefox browser, Quicktime "magically" gives the attacker control of the machine.
In the absence of reliable data to the contrary, we presume this is a buffer overflow type of attack where the attacker gets control of the machine with the same level of security permissions that the logged-in user had. Most sources agree on two further points: 1) Disabling Java is an effective work-around until Apple releases a patch and 2) the Quicktime plug-in for Firefox on Windows should be presumed vulnerable too as long as Quicktime is installed. We'll keep you updated on this situation and let you know when Apple releases a patch. In the meantime, think about disabling Java on your Quicktime-enabled systems, at least until more is known about this issue. --Steve Fallin
Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
|
