Apple’s QuickTime Zero-Day Flaw Also Affects IEThe vulnerability that software engineer Di Zovi exploited to hack into Mac OS X at CanSecWest conference at Vancouver can also harm Microsoft's Internet Explorer browser running on Windows Vista operating system, said researchers at TippingPoint on April 26, 2007. Initially, security experts thought that the flaw was exploitable only via Apple's Safari and Mozilla's Firefox browsers running on Macs as well as Windows PC. But now TippingPoint researchers have determined that the flaw within Apple's QuickTime media players also affects Internet Explorer on Windows. According to Terri Forslof, manager of security response at TippingPoint, while analyzing the flaw, new facts and issues have emerged. SCMagazine published Forslof's statement on April 26, 2007. Earlier the proof-of-concept code that Di Zovi provided only worked on Safari and Firefox browsers, Forslof said. But now after tests it is certain that the code impacts both Windows and Mac operating systems, she said. There is a strong belief that the issue affects any browser with JavaScript as the vulnerable QuickTime Java extension. Any Java-enabled Web browser that encourages Java and where QucikTime is installed can experience the flaw's impact, according to TippingPoint. A hacker could take advantage of the flaw by drawing victims to a malware-hosting site. There would be no disclosure of further details about the flaw until Apple develops a patch for it. TippingPoint that specializes in selling intrusion prevention systems had set a prize of $10,000 for exploiting the Mac zero-day flaw at the "PWN to Own" hack-a-Mac competition at the CanSecWest conference. Deactivating Java in a Web browser protects a computer from these attacks, Dino Di Zovi the discoverer of the flaw said. Builderau reported this on April 26, 2007. Since Apple adds QuickTime by default in Macs OS, Mac is therefore vulnerable. But Windows users are weakened only when they install QuickTime. Founder and CTO of WhiteHat Security, Jeremiah Grossman told SCMagazine, April 23, 2007 that the bug is not acceptable but browsers commonly have vulnerabilities these days. Apple issued a security update on April 26, 2007 to patch 25 flaws. But it did not include one for the new Safari flaw. Related article: Apple Patches QuickTime 13 Month Old Flaw » SPAMfighter News - 5/3/2007 |    |
Dear Reader
We are happy to see you are reading our IT Security News.
We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!
 |  |
