CanSecWest Winner Is A QuickTime Flaw

Despite being widely reported as an OS X vulnerability, it turns out that the bug that was exploited in the CanSecWest contest has nothing to do with Apple's operating system itself and could very well affect even Windows machines. The vulnerability was originally said to be in Safari, but it seems that it is in fact in QuickTime, Safari only being used to trigger it.

Sean Comeau, one of the CanSecWest organizers, said Friday that the bug was in Safari, Apple's browser that comes with OS X. However, researchers at Matasano Security LLC, a New York-based consultancy where Di Zovie used to work, said the flaw is actually in QuickTime. "Dino's finding targets Java handling in QuickTime," said Thomas Ptacek of Matasano on the Matasano blog. "Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple's vulnerable code ships by default on Mac OS X and is extremely popular on Windows, where this code introduces a third-party vulnerability."

The issue is in fact not linked with Safari at all, and Ptacek confirmed that Mozilla Corp.'s Firefox can be used in the exploit with identical results. Also, since the issue is within the way that QuickTime handles Java, simply turning off Java will close the vulnerability. So far, it is unverified, but assumed on Matasano, that Windows PCs are also vulnerable if Quicktime is installed. If the vulnerability is indeed in the way that QuickTime handles Java, it should be present across all platforms, regardless of browsers, and even Internet Explorer could be used in the attack since it does not matter what browser the user is using to access the malicious web site.

This is not the first vulnerability in Apple's Quicktime software; however, since it can be avoided entirely by users by simply turning off Java, users can steer clear of it until Apple releases a fix.