Straight out of CanSecWest we now have a advisory posted for Quicktime. This covers the hack that allowed Dino Dai Zovi to pwn a MacBook in a hacking contest at CanSecWest. This was previously erroneously attributed to a Safari hack.

From Secunia:

Description:
A vulnerability has been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an unspecified error within the Java handling in QuickTime. This can be exploited to execute arbitrary code when a user visits a malicious web site using a Java-enabled browser e.g. Safari or Firefox.

The vulnerability is reported on a Mac OS X system using Safari and Firefox. Other browsers and platforms may also be affected.

Solution:
Disable Java support.

Do not browse untrusted websites.

Provided and/or discovered by:
Dino Dai Zovi

There is currently no patch.

Article Link

[tags]QuickTime, Java Handling, Remote Code Execution[/tags]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.