p2pnet - rss feed: QuickTime hole could be ‘real bad’
p2pnet.net news:- A hacker hacked a Mac for a $10,000 prize at the CanSecWest security conference in Vancouver, British Columbia, Canada.
The winner was Dino Dai Zovi and his exploit for the QuickTime vulnerability is “very serious,” according to security researchers quoted by Computerworld.
And, horror of horrors, the hack was out in the wild, said various reports.
Security researcher Thomas Ptacek blogged, “There are unconfirmed reports, from multiple credible sources, that the challenge MacBooks from the contest were exposed to an unprotected wireless network, and that raw packet captures of the successful exploit have been taken by parties unknown to us..”
“This started out fun, because we were dealing with a laboratory-isolated specimen of a problem that Apple was in a position to easily fix,” he says Ptacek on Matasanochargen. “But it turns out, that’s not the case. There are a lot of things we’ve learned in the past couple of days that lead us to believe that the QuickTime hole is going to cause real (read: Mom’s bank account) problems”.
He says the “gathering miasma of unpleasant details about this vulnerability” includes the facts it:
- affects FireFox as well as Safari
- affects Windows as well as OSX
- may or may not be auto-updatable on non-Mac platforms
- may, or may not, be difficult for bad actors to reverse the vulnerability from the details already cleared by 3Com
But there’s a good part.
“Thankfully, I think we can put to rest the notion that the exploit is bouncing around in the wild,” soothes Ptacek, adding:
3Com has paid $10,000 for this vulnerability, and controls what details about it can be published. There are things users can and should do today, before patches are released, to mitigate the vulnerability. The entire world knows it exists, and a large body of talented attackers has a head start on where to look for the details.
3Com is in a much better position to fact-check and publish information about this bug than we are.
Meanwhile, “You see a lot of people running OS X saying it’s so secure and frankly Microsoft is putting more work into security than Apple has,” Computerworld has principal CanSecWest organizer Dragos Ruiu saying.
The idea was to have contestants try to use Wi-Fi to access one of two Macs while the Macs had no programs running, says the story, going on:
No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.
Dai Zovi, who lives in New York, developed the exploit that exposed the hole, says Macworld, but the contest was only open to conference attendees, so he sent it to a friend in Vancouver, who claimed the prize.
Also See:
hacked a Mac - 25 Apple security holes, April 20, 2007
Computerworld - Hack challenge QuickTime bug not on the loose, April 26, 2007
blogged - URGENT: Unconfirmed Reports QuickTime Exploit Capture Is Circulating, April 25, 20057
Matasanochargen - EXCLUSIVE: MUST CREDIT MATASANO, April 26, 2007
If your Net access is blocked by governBryan Adams slams Net radio hikement restrictions, try Psiphon from the Citizen Lab at thIs the endSurvey: How Did Copyright Infringement Become Equated with Robbery? (of the Net) nigh?zze University of Toronto’s Munk Centre for International Studies. Go here for the official download, here for the p2pnet download, and here for details. And if you’re Chinese and you’re looking for a way to access independent Internet news sources, try Freegate, the DIT program written to help Chinese citizens circumvent web site blocking outside of China. Download it here.
rss feed: http://p2pnet.net/p2p.rss | | Mobile - http://p2pnet.net/index-wml.php | | And use free p2pnet newsfeeds for your site
Tired of being treated like a criminal? They depend on you, not the other way around. Don’t buy their ‘product’. Do bug your local politicians. Use emails, snail-mail, phone calls, faxes, IM, stop them in the street, blog. And if you’re into organizing, organize petitions, organize demonstrations and then turn up on your local political rep’s doorstep, making sure you’ve contacted your local tv/radio station/newspaper in advance. Don’t just complain. Do something!
April 27th, 2007 at 1:13 pm
just PROVES it!
April 27th, 2007 at 2:30 pm
This just supports what I’ve been saying for years. Mac fanboys like to tell you that Macs are safer than Windows at every chance they get, but you know why?
Nobody gives a shit about hacking Macs. If you wanted to damage as many computers as possible, would you target Windows, with most of the market share, or Macs, with less than 5% of the market? I thought so.
If Macs had most of the market and Windows had 5%, Macs would be the ones being bombarded with viruses and security issues.
April 27th, 2007 at 8:37 pm
+1
April 27th, 2007 at 10:48 pm
yes, you are the only one who knew this….
the same thing with any other OS, even HEAVEN FORBID open source.
April 28th, 2007 at 8:01 am
Macintosh machines are 100% safe and have no known exploits. This is merely an attempt by the media to cast a bad light on the god of electronics, the beloved Steve Jobs.
April 28th, 2007 at 9:20 am
Quicktime has always been terrible about wanting to take over all associations on your machine, and providing terrible compression schemes that can stop a 2.4GHz P4* dead in it’s tracks. About the only thing worse is Real’s nagware. This is one apple that is full of worms.
I always get a case of the crawls when I hear someone say “Oh, I just use Quicktime to play the video…”
* Not sure what the video was anymore, but I had one 160×100 video that ate 100% of the CPU resources of the machine in question.