Mac hacked through QuickTime flaw

Hack-a-Mac contest winner exploited a zero-day bug in QuickTime that could also expose Windows users.
Written by Joris Evers, Contributor
The security hole used to breach a MacBook in a hack-a-Mac competition last week lies in Apple's QuickTime media player, the flaw finder said Tuesday.

The vulnerability is related to how QuickTime handles Java, said security researcher Dino Dai Zovi. An attacker can exploit the bug through Safari or Firefox, he said. Initial reports were that the flaw was in Safari, Apple's Web browser.

"It is a vulnerability within QuickTime. Safari and Firefox on Mac OS X are vulnerable," Dai Zovi said. QuickTime is also widely used on Windows machines, so Windows users may also be at risk, he said. "At this time, Firefox on Windows is considered at risk," Dai Zovi said.

Security monitoring company Secunia deems the flaw "highly critical," one notch below its most serious rating. "This can be exploited to execute arbitrary code when a user visits a malicious Web site," Secunia said. Apple's most recent QuickTime security update was in March.

Shane Macaulay, a software engineer and a friend of Dai Zovi's, hacked into a MacBook using the QuickTime security hole on Friday. The computer was one of two offered as a prize in the "PWN to Own" hack-a-Mac contest at the CanSecWest conference in Vancouver, British Columbia.

The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack more familiar to Windows users.

Apple has declined to comment on the MacBook hack specifically, but spokeswoman Lynn Fox last week provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users," she said.

Further details on the flaw are being kept confidential until Apple patches it. Dai Zovi has submitted the vulnerability to TippingPoint's Zero Day Initiative bug bounty program. TippingPoint, which sells intrusion prevention systems, had offered a $10,000 prize for a Mac zero-day vulnerability to make the CanSecWest contest more appealing to hackers.

"TippingPoint has offered to purchase the vulnerability and I have agreed, payment is pending," Dai Zovi said.

Disabling Java in a browser shields a computer against attacks that exploit the flaw, Dai Zovi said. Macs are vulnerable by default because Apple ships QuickTime with the operating system. Windows users are only vulnerable if QuickTime is installed.

Editorial standards