Apparent Troll Claims to Have Snatched QuickTime Exploit at Security Show
A blogger using the name "Infosecsellout" has stirred up the security community by claiming to be in possession of wireless packets sniffed from CanSecWestthe same wireless packets involved in the Pwn-2-Own contest that turned up a highly critical QuickTime vulnerability.
Infosecsellout also claims to have reverse-engineered the vulnerability. If the claims are true, it would mean that a serious exploit exists in the wildone that could affect any system that's running QuickTime and is Java-enabled. Considering the prevalence of Apple's iTunes, that would mean a vast number of vulnerable machines.
However, all signs are pointing to the claims being bogus trolling for clicks.
A commenter on security firm Matasano's blog who appears to be a CanSecWest organizer gave this explanation of why Infosecsellout's claims are groundless. The explanation echoes the description of the network given by CanSecWest during the show:
Sources say the claims have stirred up Mozilla and Microsoft, both of which have browsersFirefox and Internet Explorerthat are attack vectors for the vulnerability. TippingPoint has also gone back to CanSecWest organizers to reexamine the network and has been reassured that packet sniffing would have been impossible due to the safeguards that were in place during the show.
Infosecsellout also slurred TippingPoint's integrity:
To add the the conspiracy theory, I cannot get anyone at Apple to confirm that Tippingpoint has already reported this issue to them to have it fixed. So why the delay? It has been claimed in the press that this issue could be as serious as the ANI flaw. Is Tippingpoint really ready to put Mac users at risk just for some extra marketing opportunity?
If Infosecsellout doesn't know that Apple doesn't usually stoop to communicate with the press, it only goes to underscore his or her naivete and thereby his or her lack of credibility. TippingPoint confirms that they've been working with Apple on the flaw. I would never claim that a business, including TippingPoint, wouldn't pull a publicity stunt, but if I were to accuse a company of doing so I'd base it on something that could be considered evidence, as opposed to whining that Apple won't return my calls.
*This post was edited: I goofed and listed Safari when I meant Firefox. Thanks for catching that, Ilir. Also the two last paragraphs are new--I wanted to point out Sellout's smearing of TippingPoint.