QuickTime Vulnerability Exposed by Contest Poses Wide Risk

G00148455

Analyst(s): |

  Free preview of Gartner research

Summary

All Java-enabled browsers with Apple QuickTime installed are at risk from a vulnerability discovered at a security conference contest. The incident highlights the danger of vulnerability research conducted in public.

News Analysis

Event

  • On 20 April 2007, at a Macintosh hacking contest held at and conducted by the CanSecWest security conference in Vancouver, two security researchers successfully broke into a MacBook Pro notebook computer with all currently available security patches installed. For this exploit, the researchers collected a $10,000 prize offered by the intrusion prevention system (IPS) vendor TippingPoint (a division of 3Com), and the MacBook Pro.

  • On 23 April 2007, researchers discovered that the flaw exists in Apple QuickTime player, and that any system with a Java-enabled browser and QuickTime installed is potentially vulnerable to attack — including Safari, Mozilla's Firefox and Microsoft Internet Explorer — if it is installed on the Mac or Windows operating systems. No patch is yet available.

Analysis

Although there are no confirmed reports of any exploits for this vulnerability, with some details of the vulnerability now public, enterprises should assume they are at risk for a potential breach.

Upon further investigation, researchers found that the vulnerability lies within an application programming interface (API) that QuickTime exposes to Java applets (code run in Web browsers). A successful exploit would provide access at the privilege of the currently logged-in user. So far, the vulnerability is known to affect any Web browser on any operating system with QuickTime 2 installed and enabled in the Web browser. The sheer breadth of systems and browsers that potentially could be affected means that this could be a serious browser vulnerability. No single safeguard can guarantee complete protection.

Public vulnerability research and "hacking contests" are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements. Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities — which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers.

Recommendations

Users:

  • Weigh the loss of functionality and disruption of disabling Java and/or removing QuickTime 2 until Apple (and possibly browser makers) makes a patch available, against the fact that, as yet, there have been no known exploits and some protection via other safeguarding is available.

  • If you use host IPSs, download the specific signature as a safeguard when it becomes available, since an exploit could be conducted via Web mail, or while a user is outside the enterprise perimeter (for example, on laptops). Look for signatures from your vendor for this vulnerability when they become available. Update antivirus signatures for e-mail-based applications when they become available, as they could assist with protecting against an e-mail vector.

  • Enable network IPS signatures for this vulnerability as they become available to block potential attacks via Web links. Network IPSs offer a good first line of defense; however, recognize that an exploit could be made via an SSL encrypted session that is not subject to inspection.

Vendors and security services firms:

  • Consider ending public vulnerability marketing events, which may lead to unanticipated consequences that endanger IT users.

Recommended Reading

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)

© 2007 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Not a Gartner Client?

Want more research like this?
Learn the benefits of becoming a Gartner client.

Contact us online

  Research

More  

Why Gartner

Gartner delivers the technology-related insight you need to make the right decisions, every day.

Find out more