The QuickTime bug revealed at CanSecWest last week turns out to affect everything that’s Java-enabled and that has QuickTime installed, including IE 6 and IE 7 on Vista, browsers that were originally thought to be safe due to sandboxing techniques. Researchers are urging all users of QuickTime–and that means you, if you have iTunes installed–to turn off Java.
That Apple’s Safari browser is an attack vector for the flaw was known on Friday, when Matasano Security principle Dino Dai Zovi used it to earn a $10,000 cash prize in the Pwn-2-Own contest at CanSecWest. Soon after, TippingPoint added Mozilla’s Firefox to the list of attack vectors, and on Tuesday night discovered that IE is also an attack vector.
Terri Forslof, manager of security response at TippingPoint, said this QuickTime flaw is comparable to Microsoft’s ANI vulnerability in terms of severity, and Secunia has rated it highly critical—its second most serious rating (the highest being “extremely critical.”)
“This is probably one of the biggest vulnerabilities we’ve seen,” Forslof told me today. “It affects every platform, every browser. It’s widespread, and nobody’s immune to this thing.”
As of now, there is no exploit code out in the wild, although one blogger calling him or herself “Infosecsellout” is making claims that he or she has “the advantage of a full packet capture of the entire contest” and has confirmed the vulnerability with “good ‘ol fashioned vulnerability research.”