Security Watch

Keeping Track of patches and hacks in the IT security world.

Apparent Troll Claims to Have Snatched QuickTime Exploit at Security Show

A blogger using the name "Infosecsellout" has stirred up the security community by claiming to be in possession of wireless packets sniffed from CanSecWest—the same wireless packets involved in the Pwn-2-Own contest that turned up a highly critical QuickTime vulnerability.

Infosecsellout also claims to have reverse-engineered the vulnerability. If the claims are true, it would mean that a serious exploit exists in the wild—one that could affect any system that's running QuickTime and is Java-enabled. Considering the prevalence of Apple's iTunes, that would mean a vast number of vulnerable machines.

However, all signs are pointing to the claims being bogus trolling for clicks.

A commenter on security firm Matasano's blog who appears to be a CanSecWest organizer gave this explanation of why Infosecsellout's claims are groundless. The explanation echoes the description of the network given by CanSecWest during the show:

"Someone may have reverse-engineered the vulnerability but they didn't pull it off the network there. The network was very simple: a WAP that was connected to a hub and to the router to provide Internet access. The Macs sat on the hub and the only other systems on there were the ones we used to monitor the network to ensure rules were followed and then K2's when he ran the exploit. The WAP was routing traffic from the hub to the Internet, not sending it out over the wireless network. We were sniffing the traffic on the wireless network and would have noticed if it had been getting traffic from the wired side. Y'all know routing & switching protocols well enough to know that traffic destined for the Internet wouldn't end up on the pocket wireless network. The AP doesn't have enough smarts to mess up routing that way unless someone owned it (which is admittedly possible). The point is, no one sitting on the wireless network would have been able to sniff the traffic from the wired network to the Internet."
Another tip-off that Infosecsellout's claims are FUD: The blogger seems to believe the flaw has to do with JavaScript. Rather, it's a Java-based flaw.

Sources say the claims have stirred up Mozilla and Microsoft, both of which have browsers—Firefox and Internet Explorer—that are attack vectors for the vulnerability. TippingPoint has also gone back to CanSecWest organizers to reexamine the network and has been reassured that packet sniffing would have been impossible due to the safeguards that were in place during the show.

Infosecsellout also slurred TippingPoint's integrity:

"To add the the conspiracy theory, I cannot get anyone at Apple to confirm that Tippingpoint has already reported this issue to them to have it fixed. So why the delay? It has been claimed in the press that this issue could be as serious as the ANI flaw. Is Tippingpoint really ready to put Mac users at risk just for some extra marketing opportunity?"

If Infosecsellout doesn't know that Apple doesn't usually stoop to communicate with the press, it only goes to underscore his or her naivete and thereby his or her lack of credibility. TippingPoint confirms that they've been working with Apple on the flaw. I would never claim that a business, including TippingPoint, wouldn't pull a publicity stunt, but if I were to accuse a company of doing so I'd base it on something that could be considered evidence, as opposed to whining that Apple won't return my calls.

*This post was edited: I goofed and listed Safari when I meant Firefox. Thanks for catching that, Ilir. Also the two last paragraphs are new--I wanted to point out Sellout's smearing of TippingPoint.