14 DAY TRIAL // The vulnerability that was used to hack into one of the two CanSecWest's Macbook Pro set up for grabs in the $10,000 challenge at the 2007 security conference can easily be adapted to tailor fit Windows Vista. Security researchers from 3Com TippingPoint have confirmed that the issue is by no means restricted to Mac OS X and that the critical flaw can be used via all Java-enabled browsers. According to TippingPoint, this description also fits Internet Explorer 7 running in Windows Vista.
Microsoft has yet to confirm or deny claims from TippingPoint that Internet Explorer can be used as a vector of attack for Windows platforms including Windows Vista. But not only IE7 on Windows Vista can become an avenue for attacks, IE 6 and IE 7 on Windows XP SP2 can also be used for successful exploits. Still, the browser is no more than a path, the vulnerability actually resides in Apple's QuickTime media player.
"This is every bit as dangerous as any vulnerability we see out there," revealed Terri Forslof, TippingPoint's manager of security research. "If Microsoft was rating this, it would rate it as a critical vulnerability. One click and you're owned. The vulnerability is in QuickTime, but any Java-enabled browser can be an exploit vector. No exclusions."
There are two immediate workarounds to mitigate this vulnerability. The first and the simplest is to disable Java script in the browser. The second is to uninstall the QuickTime plug-in altogether. Why would you need to do so? Because uncorroborated reports claim that the hack was captured during the demonstration and is not available in the wild.