Because if you do, you've probably installed QuickTime without realizing it. Why is this relevant? Well, if you've been in a cave for the last week, you may not have heard about the Quicktime/Java vulnerability discovered during the CanSecWest conference, which happens to affect just about anyone with those two applications installed. If you try to uninstall QuickTime, it'll happily oblige, but then iTunes won't work anymore. So it boils down to two options: Either disable Java, or find another MP3 player for the time being (unless you bought a bunch of DRM-protected music from iTunes, in which case you're locked in).

As reported by SC Magazine today:

"Essentially, it’s a click-and-you’re-owned vulnerability, so clicking on a URL out of an email or a website that has malicious content [could lead to exploitation]," she said. "If you look at the Microsoft advisories in dealing with IE vulnerabilities, the same sort of common sense applies here."

In a post today on the Matasano Security blog, Thomas Ptacek delivered a dire warning about the flaw, but did not confirm a public exploit.

"There are a lot of things we’ve learned in the past couple of days that lead us to believe that the QuickTime hole is going to cause real (read: Mom’s bank account) problems," he said.

Incidentally, Apple recently announced that they have sold over 100 million iPods. That translates to a lot of vulnerable computers. And that's not even including all the people who use iTunes without actually owning an iPod.

From TippingPoint's perspective, talk about getting your $10,000 worth. This is huge, and since they own the rights to the information, so they can milk the limelight as long as they want.

Here's a glimpse at how the fun began:

K2 MacBook

Shane Macaulay shortly after claiming the prize for the "Pwn To Own" contest
(Photo credit: dmuz)


About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (4)

Ryan Russell | April 28, 2007 9:30 pm

If memory served, last time I checked iTunes goes through a Quicktime library to decode and play protected AAC tunes.

CEng | April 29, 2007 1:44 pm

Yeah, I guess that makes sense. Some of us just use it as an MP3 player though. Too bad protected AAC (and/or M4P) support isn't an optional feature. Then I'd still be able to have Java enabled in my web browser.

Adrian Sanabria | April 30, 2007 11:57 am

If the vulnerability is related to the Quicktime browser plugin, wouldn't removing the plugin be a 3rd option (for Firefox, it is usually just a single DLL in the "plugins" directory).

Ma petite parcelle d'Internet... | May 18, 2007 12:41 am

<strong>Comment c'était Cansecwest 2007 ?...</strong>

Côté challenge, c'est plié. Un seul des deux Macs a été gagné par Shane "K2" Macaulay sur une faille dans Quicktime exploitée via Safari. Les dix-mille dollars reviendront à Dino Dai Zovi qui a codé l'exploit. K2 s'est montré beau joueur...

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.