Straight out of CanSecWest we now have a advisory posted for Quicktime. This covers the hack that allowed Dino Dai Zovi to pwn a MacBook in a hacking contest at CanSecWest. This was previously erroneously attributed to a Safari hack.
From Secunia:
Description:
A vulnerability has been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to an unspecified error within the Java handling in QuickTime. This can be exploited to execute arbitrary code when a user visits a malicious web site using a Java-enabled browser e.g. Safari or Firefox.
The vulnerability is reported on a Mac OS X system using Safari and Firefox. Other browsers and platforms may also be affected.
Solution:
Disable Java support.
Do not browse untrusted websites.
Provided and/or discovered by:
Dino Dai Zovi
There is currently no patch.
Tags: QuickTime, Java Handling, Remote Code Execution
