blob: 6a5058fed205d82ef06395ac1c1d2c93d4debce4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
What started off as a Mac-based hack in the [hack-a-Mac contest at the recent CanSecWest conference][3] has turned into a cross-platform vulnerability that affects not just OS X, but [reportedly Windows as well][2].
The OS X vulnerability exploited by hackers is not a flaw in OS X after all. Instead Quicktime is the blame for the vulnerability and the exploit is made possible by a flaw in way Quicktime interacts with Java.
Because Quicktime and Java are also found on many Windows machines, the vulnerability most likely affects Windows users as well -- though that has yet to be officially confirmed.
Apple has not address the issue publicly yet beyond the usual PR-speak. An Apple rep [told CNet][4] earlier in the week that, "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Unfortunately in this case Apple hasn't addressed the issue before it can affect users. Sencunia, a security analyst firm, has [rated the flaw as highly critical][1] and suggests that users disable Java support until Apple issues a patch.
While many OS X users have taken the revised information as proof that Mac OS X is more secure, in fact, just because the hackers at the conference were unable to find a true flaw in OS X within the timeframe of the contest, does not mean there aren't flaws to be found.
[1]: http://secunia.com/advisories/25011/ "Apple QuickTime Java Handling Unspecified Code Execution"
[2]: http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/ "MacBook Vuln In Quicktime, Affects Win32 Apple Code"
[3]: http://blog.wired.com/monkeybites/2007/04/mac_hack_challe.html "Mac Hack Challenge Requires Rule Change To Find Winner"
[4]: http://news.com.com/MacBook+hacked+in+contest+at+security+event/2100-7349_3-6178131.html "MacBook hacked in contest at security event"
|
