The bug that helped security researcher Dino Dai Zovi claim a $10,000 prize at last week’s CanSecWest security conference affects Windows systems too.
That’s because the flaw that Dai Zovi exploited actually lies in the way Apple’s QuickTime Media Player works with the Java programming language, according to Terri Forslof, manager of security response at 3Com’s TippingPoint division, which put up the $10,000 prize. QuickTime runs on both Windows and the Mac.
When first reported, last week Dai Zovi’s bug was thought to lie in Apple’s Safari browser, a standard component of Mac OS X. But users of Firefox — which supports QuickTime on both Windows and the Mac — are also at risk, Forslof said Tuesday.
In terms of seriousness, the bug is comparable to the animated cursor vulnerability that was recently patched in Windows, Forslof said. The bug “is the equivalent to a ‘click and you’re owned’ vulnerability,” she said.
TippingPoint disclosed the flaw to Apple on Monday, but there is still no word on when it will be patched. Because the flaw has not been publicly disclosed, it is not considered to be a significant threat to QuickTime users.
Dai Zovi disclosed the flaw to TippingPoint as part of a contest set up by CanSecWest organizers to see how easy it was to take control of a Mac. “You see a lot of people running OS X saying it’s so secure and frankly Microsoft is putting more work into security than Apple has,” said Dragos Ruiu, the principal organizer of CanSecWest, speaking at the show in Vancouver last week.
Initially, contestants were invited to try to access one of two Macs through a wireless access point without any programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs (uniform resource locators) via e-mail.
Dai Zovi, who lives in New York, sent a URL that exposed the hole. Since the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on.
Though CanSecWest’s Ruiu said that Apple has been heavy handed in its past dealings with security researchers, Dai Zovi said that has not been his experience. “I have yet to hear anything from Apple besides their standard reply to a vulnerability submission,” he said in an e-mail interview. Dai Zovi said he has reported at least eight security vulnerabilities to Apple and has had “nothing but positive interactions” with the company.
(Nancy Gohring in Seattle contributed to this report.)