QuickTime bug exposed at CanSecWest more than just a Safari flaw

Secunia released an advisory today for a QuickTime vulnerability exposed when researcher Shane Macaulay hacked into an MacBook Pro at CanSecWest last week.

Macaulay won a MacBook, and his partner Dino Dai Zovi earned $10,000, for displaying the flaw. In the process, he exposed a vulnerability in Apple’s QuickTime media player that can be exploited on any Java-enabled browser.

The flaw is caused by an unspecified error within QuickTime’s Java handling and exists on Safari, Firefox and any Java-enabled browser. It can be exploited by attackers to execute arbitrary code, according to Secunia, which ranked the flaw as "highly critical."

The advisory warned that other browsers may be affected as well, and urged end users to disable Java support and avoid untrusted websites.

Secunia also credited Dai Zovi with discovering the flaw.

Researcher Thomas Ptacek said Monday on the Matasano Chargen blog that the Safari and Firefox are confirmed vectors on MacIntel, and Firefox is a presumed vector on Windows if QuickTime is installed.

Terri Forslof, manager of security response at TippingPoint, told SCMagazine.com on Monday that the vulnerability can be exploited on any browser using Java.

She said the QuickTime flaw was not patched in Apple’s latest round of security updates, released last week.

Sign up to our newsletters