Because if you do, you’ve probably installed QuickTime without realizing it. Why is this relevant? Well, if you’ve been in a cave for the last week, you may not have heard about the Quicktime/Java vulnerability discovered during the CanSecWest conference, which happens to affect just about anyone with those two applications installed. If you try to uninstall QuickTime, it’ll happily oblige, but then iTunes won’t work anymore. So it boils down to two options: Either disable Java, or find another MP3 player for the time being (unless you bought a bunch of DRM-protected music from iTunes, in which case you’re locked in).
As reported by SC Magazine today:
“Essentially, it’s a click-and-you’re-owned vulnerability, so clicking on a URL out of an email or a website that has malicious content [could lead to exploitation],” she said. “If you look at the Microsoft advisories in dealing with IE vulnerabilities, the same sort of common sense applies here.”
In a post today on the Matasano Security blog, Thomas Ptacek delivered a dire warning about the flaw, but did not confirm a public exploit.
“There are a lot of things we’ve learned in the past couple of days that lead us to believe that the QuickTime hole is going to cause real (read: Mom’s bank account) problems,” he said.
Incidentally, Apple recently announced that they have sold over 100 million iPods. That translates to a lot of vulnerable computers. And that’s not even including all the people who use iTunes without actually owning an iPod.
From TippingPoint’s perspective, talk about getting your $10,000 worth. This is huge, and since they own the rights to the information, so they can milk the limelight as long as they want.
Here’s a glimpse at how the fun began:
Shane Macaulay shortly after claiming the prize for the “Pwn To Own” contest
(Photo credit: dmuz)