Patch/Configuration Management, Vulnerability Management

QuickTime flaw opens Java-based browsers to one-click attacks; rumors of public exploit circulate

Schemes requiring little user interaction could exploit a QuickTime vulnerability on any Java-enabled web browser with the media player installed, including Internet Explorer (IE) 6 and 7 on Microsoft's Windows XP and Vista operating systems, according to researchers.

While rumors of a public exploit have circulated on the web, attacks have not been spotted in the wild.

End-users should employ common sense web browsing and email practices, Terri Forslof, manager of security response at TippingPoint, told today.

"Essentially, it’s a click-and-you’re-owned vulnerability, so clicking on a URL out of an email or a website that has malicious content [could lead to exploitation]," she said. "If you look at the Microsoft advisories in dealing with IE vulnerabilities, the same sort of common sense applies here."

In a post today on the Matasano Security blog, Thomas Ptacek delivered a dire warning about the flaw, but did not confirm a public exploit.

"There are a lot of things we’ve learned in the past couple of days that lead us to believe that the QuickTime hole is going to cause real [read: mom’s bank account] problems," he said.

The flaw, originally thought to exist in Apple’s Safari browser, was revealed at the CanSecWest conference in Vancouver, B.C. last week.

Dino Dai Zovi and his partner Shane Macaulay won a "hack-a-Mac" contest using the flaw, taking home $10,000 from TippingPoint (which purchased the flaw) in the process.

TippingPoint said Wednesday that it confirmed the flaw affects Vista through IE7.

A Microsoft spokesperson told today that the company is "aware of public reports of a potential vulnerability in Apple’s QuickTime Player."

"Our initial investigation has shown that this is not a vulnerability in a Microsoft product and recommends Apple QuickTime Player customers follow guidance Apple provides about this issue," said the spokesperson.

An Apple representative could not be reached for comment today.

Forslof and other researchers have urged end-users to disable Java in response to the vulnerability.

Rumors circulated this week that the exploit used at CanSecWest had been leaked. These rumors were not confirmed

Ptacek blogged on Wednesday that "the bulk of the ‘it leaked!’ leads in this soap opera are not panning out, fortunately for all involved."

Andrew Storms, director of security operations for nCircle, said the corporate world could be hindered by disabling Java.

"I’m actually more concerned with the few million people that have to go and turn off Java, and that’s a huge impact on businesses," he said. "That’s really the part that worries me, where these security ops teams are going to have to decide whether to continue to use Java."

Click here to email Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.