Quantcast
RSS
Operating Systems April 24, 2007 10:00 AM

$10,000 Mac Hack Affects Windows Too

By Robert McMillan, IDG News Service

The bug that helped security researcher Dino Dai Zovi claim a $10,000 prize at last week's CanSecWest security conference affects Windows systems too.

People who read this also read:

That's because the flaw that Dai Zovi exploited actually lies in the way Apple's QuickTime Media Player works with the Java programming language, according to Terri Forslof, manager of security response at 3Com's TippingPoint division, which put up the $10,000 prize. QuickTime runs on both Windows and the Mac.

How Serious?

When first reported last week, Dai Zovi's bug was thought to lie in Apple's Safari browser, a standard component of Mac OS X. But users of Firefox -- which supports QuickTime on both Windows and the Mac -- are also at risk, Forslof said Tuesday.

In terms of seriousness, the bug is comparable to the animated cursor vulnerability that was recently patched in Windows, Forslof said. The bug "is the equivalent to a 'click and you're owned' vulnerability," she said.

TippingPoint disclosed the flaw to Apple on Monday, but there is still no word on when it will be patched. Because the flaw has not been publicly disclosed, it is not considered to be a significant threat to QuickTime users.

The Mac Challenge

Dai Dovi disclosed the flaw to TippingPoint as part of a contest set up by CanSecWest organizers to see how easy it was to take control of a Mac. "You see a lot of people running OS X saying it's so secure and frankly Microsoft is putting more work into security than Apple has," said Dragos Ruiu, the principal organizer of CanSecWest, speaking at the show in Vancouver last week.

Initially, contestants were invited to try to access one of two Macs through a wireless access point without any programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs (uniform resource locators) via e-mail.

Dai Zovi, who lives in New York, sent a URL that exposed the hole. Since the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on.

Though CanSecWest's Ruiu said that Apple has been heavy handed in its past dealings with security researchers, Dai Dovi said that has not been his experience." I have yet to hear anything from Apple besides their standard reply to a vulnerability submission," he said in an e-mail interview. Dai Dovi said he has reported at least eight security vulnerabilities to Apple and has had "nothing but positive interactions" with the company.

Nancy Gohring in Seattle contributed to this report.

Was this article useful? Yes 0 No 0

Read more like this: , , ,

Add Yours

Comments Readers reply with their ideas and expertise.

Subscribe to this discussion via email or RSS

  • What do you think?

  • Great year-end deals
    for small business!

  • Get 24/7 live remote AT&T Tech Support 360* service along with select Lenovo* PCs (with Intel® Core™ 2 Duo processors) and save up to 200!

    Learn more

  • HP EliteBook* 6930p Notebook with Intel® vPro™ technology and a free HP Basic Docking Station - $641 instant savings!

    Learn more

  • *Other names and brands may be claimed as the property of others. ©2009 Intel Corporation. Intel, the Intel logo, vPro and Core trademarks of Intel Corporation in the United States and other countries. All rights reserved.
Business News Daily

Get the latest technology news that's important to you and your business, fresh seven days a week.

Featured Webcasts
More webcasts »

Free Whitepapers

Software and Services Whitepapers from PC World

More whitepapers »

Whitepaper Alerts

Get updates on white papers, case studies, and spotlights on tech products and solutions for your business.

PC World's Marketplace

Sponsored Links