Apple Makes Quick Work of QuickTime Bug

Apple (Nasdaq: AAPL) released an update for QuickTime Tuesday that corrects a flaw exposed by security researchers during a contest at the CanSecWest security conference last month. Recommended for all QuickTime 7 users, the new version, QuickTime 7.1.6, plugs a "critical security issue in QuickTime for Java, as well as numerous bug fixes," the Mac maker said.

More than simply an issue confronting Mac users, the flaw also affects many Windows users who have Apple's media player loaded on their PCs.

"[This is] extremely serious -- it's a cross-platform vulnerability that's easy to exploit and allows arbitrary code execution," Rich Mogull, a research vice president at Gartner (NYSE: IT), told MacNewsWorld. "This isn't just Mac users, the vulnerability is also on Windows, and most Windows users have QuickTime installed.

"Mac users will get this as part of a regular software update, but although QuickTime on Windows self-updates, some users may have this disabled," he added.

Apple's relatively quick response has been lauded by many security experts; however, the case has raised concerns about hacking contests as well as the distribution methods for cross-platform security patches.

Critical Player

The vulnerability in the media player deals with QuickTime for Java, Apple said. Users visiting a maliciously engineered Web site with an unpatched version of Quicktime (version 7 or earlier) could enable a criminal to take control of systems running Apple's Mac OS X, Microsoft's (Nasdaq: MSFT) Windows XP SP2 or Windows 2000 SP4.

"By enticing a user to visit a Web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution," Apple said in its security update.

Apple, however, warned QuickTime Pro users who download the new version that the software will disable the QuickTime Pro functionality in earlier versions, including QuickTime 5 or QuickTime 6. Users who continue with the installation will have to purchase a new QuickTime 7 Pro key to regain QuickTime Pro functionality, the company said.

The Apple Bug Hunters

Apple gives credit for the bug's discovery to security researchers Dino Dai Zovi, TippingPoint Technologies and the Zero Day initiative. The bug came to light as a result of the CanSecWest security conference held in Vancouver, British Columbia. Conference organizers, in an attempt to highlight Mac-related security issues, hosted the "PWN to Own" Hack-a-Mac contest.

The goal for hackers was to find a way to remotely gain control of one of two MacBook Pro computers. The first person to comprise the system using an exploit that gave the attacker default user account access would win the computer. After a lukewarm response from conference attendees on the first day, security vendor TippingPoint added a little extra incentive in the form of a US$10,000 prize through its Zero Day Initiative program.

Publicly conducted vulnerability research and hacking contests are "risky endeavors" that "can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements," according to Mogull and fellow Gartner analyst Greg Young.

"Vulnerability research is an extremely valuable endeavor for ensuring more secure IT," the two wrote in a research note released Monday. "However, conducting vulnerability research in a public venue ... could potentially lead to mishandling or treating too lightly these vulnerabilities -- which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers."

"Any time details of a vulnerability are made public before there's a patch available, it's highly likely that knowledgeable bad guys will be able to create an exploit for that vulnerability, making it very difficult for users and organizations to protect themselves," Mogull stated.

Mogull is not against hacking contests and the recent "Month of" blogs that have highlighted bugs and other flaws in software. The issue in the CanSecWest contest is that "enough information was released due to the public nature of the contest that a knowledgeable bad guy could have eventually discovered the same vulnerability," Mogull said.

It really depends on how these contests are handled, he added. Some of the "Month of" projects highlighted important security issues without placing users at risk. For instance, BreakingPoint Systems Security Research Director H.D. Moore's "Month of Browser Bugs" was handled very well, Mogull noted. The "Month of Apple Bugs," and others potentially placed users at risk because details were released with proof-of-concept code.

Who's Protected?

Software companies, Mogull pointed out, rarely consider the bug-finding projects and contests as helpful; in fact, many of them still prefer to pretend their products are perfect without any security issues. The projects -- at least those with good intentions -- are about protecting the user, not the software company.

"I also don't have a problem with hacking contests in general, but I do think major security vendors shouldn't be sponsoring 'zero-day' vulnerability contests. I support responsible disclosure, which can even include releasing details if a vendor is maliciously unresponsive," he stated.

Not all agree on the matter. "I would rather have the vulnerabilities come out during a hacking contest than I would have it come out on the black market and be sold and used for months before I even knew it was there," Rob Ayoub, an analyst at Frost & Sullivan, told MacNewsWorld.

Major security vendors are in the best position to control responsible disclosure in a contest like that, Ayoub added. If some other entity sponsored the contest, there could be some risk, he acknowledged, but TippingPoint is a well-respected security firm and it is better than a lot of places zero-day exploits can be found.

"Hackers are one up on the vendors anyway. The vulnerability is going to get out somehow. It's going to go to TippingPoint or some group in Russia, Romania or China," he continued. "I'd much rather it went to TippingPoint."