The QuickTime bug revealed at CanSecWest last week turns out to affect everything that’s Java-enabled and that has QuickTime installed, including IE 6 and IE 7 on Vista, browsers that were originally thought to be safe due to sandboxing techniques. Researchers are urging all users of QuickTime–and that means you, if you have iTunes installed–to turn off Java.
That Apple’s Safari browser is an attack vector for the flaw was known on Friday, when Matasano Security principle Dino Dai Zovi used it to earn a $10,000 cash prize in the Pwn-2-Own contest at CanSecWest. Soon after, TippingPoint added Mozilla’s Firefox to the list of attack vectors, and on Tuesday night discovered that IE is also an attack vector.
Terri Forslof, manager of security response at TippingPoint, said this QuickTime flaw is comparable to Microsoft’s ANI vulnerability in terms of severity, and Secunia has rated it highly critical—its second most serious rating (the highest being “extremely critical.”)
“This is probably one of the biggest vulnerabilities we’ve seen,” Forslof told me today. “It affects every platform, every browser. It’s widespread, and nobody’s immune to this thing.”
As of now, there is no exploit code out in the wild, although one blogger calling him or herself “Infosecsellout” is making claims that he or she has “the advantage of a full packet capture of the entire contest” and has confirmed the vulnerability with “good ‘ol fashioned vulnerability research.”
These claims are being dismissed by CanSecWest organizers, who stand behind the security of the network on which the Pwn-2-Own contest was held. Forslof dismissed the blogger as an irresponsible exploiter dealing in nothing but FUD. The supposed exploit nabber’s claims are also undermined by the fact that he or she didn’t get the flaw’s technical details right, calling it a JavaScript-enabled flaw as opposed to what it is: a Java-enabled flaw. (Disclaimer: The blogger might have gotten that fallacy from me—I believe this might be the case, given that he or she referred to press reports comparing the severity of the QuickTime bug to that of the ANI vulnerability. In my feeble defense, I only said JavaScript once, and it was a typo. Plus, I’m not making foolish FUD claims and getting people at Mozilla and Microsoft all cooked up over the thought that the exploit’s in the wild. Shame, Sellout, shame.)