Apple has stitched up the hole in QuickTime that allowed hackers at the CanSecWest security show to take over a MacBook Pro in a Pwn-2-Own contest on April 20.
The zero-day vulnerability was discovered by Dino Dai Zovi, a principal at security firm Matasano Security, who then passed it on to his accomplice on-site at the show, developer Shane Macaulay. The exploit netted Macaulay a 17-inch MacBook, and Dai Zovi pocketed $10,000 in prize money.
The hole is a serious one: Terri Forslof, manager of security response at TippingPoint, compared it to the Windows animated cursor vulnerability in terms of impact and the possibility of system hijacking to which both flaws can lead.
“The method of attack is the same as what Microsoft calls ‘Click and you’re owned.’ You get an e-mail, visit a malicious Web site and boom, you’re owned. Where there’s still that one-step user interaction, it’s still a serious vulnerability. Anytime you illegally break into a machine, it’s a hack,” Forslof told me last week.
In issuing the update, QuickTime 7.1.6, Apple described it as an implementation issue in QuickTime for Java that may allow reading or writing out of the bounds of the allocated heap. The exploit works by enticing a user to visit a site containing a maliciously crafted Java applet, which the attacker can trigger and use to cause arbitrary code execution.
The update, available for Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2 and Windows 2000 SP4, fixes the hole by doing additional bounds checking when creating QTPointerRef objects, Apple said.
The hole didn’t lead to exploits in the wild, although much commotion ensued after an apparent troll claimed to have wirelessly intercepted the exploit at CanSecWest. Although the claim was fairly ludicrous—the Pwn-2-Own contest was being held on a closed, wired network, and the wireless network at the show was being monitored and would have picked up on an intercept—the security and Apple user community momentarily freaked last week.