QuickTime Bug Affects All Java-Enabled Browsers

The QuickTime bug revealed at CanSecWest last week turns out to affect everything that's Java-enabled and that has QuickTime installed, including IE 6 and IE 7 on Vista, browsers that were originally thought to be safe due to sandboxing techniques. Researchers are urging all users of QuickTime--and that means you, if you have iTunes installed--to turn off Java. That Apple's Safari browser is an attack vector for the flaw was known on Friday, when Matasano Security principle Dino Dai Zovi used it to earn a $10,000 cash prize in the Pwn-2-Own contest at CanSecWest. Soon after, TippingPoint added Mozilla's Firefox to the list of attack vectors, and on Tuesday night discovered that IE is also an attack vector.

Terri Forslof, manager of security response at TippingPoint, said this QuickTime flaw is comparable to Microsoft's ANI vulnerability in terms of severity, and Secunia has rated it highly critical—its second most serious rating (the highest being "extremely critical."'' "This is probably one of the biggest vulnerabilities we've seen," Forslof told me today. "It affects every platform, every browser. It's widespread, and nobody's immune to this thing."

View: The full story
News source: eWeek

Report a problem with article
Previous Story

Intel, Google Online Marketing Pact Gets Thumbs-Up

Next Story

Microsoft's search group loses another executive

14 Comments

Commenting is disabled on this article.

Dakkaroth - If you understood the differences between the various forms of slanting an argument, you'd have responded in a much more educated manner.

Your lack of education is what keeps you securely locked in place by bised reporting whereas the rest of us are free to see BS when it's thrown at us.

There's nothing wrong with Java, it's crappy implementations that break the sandbox model (MSJava anyone?) that unfairly give it a bad name.

Can someone please explain why this article is prominently displaying the IE logo when this is a Quicktime flaw?

I am really beginning to loose complete and total confidence in Neowin. It's because of this exact reason that I stopped reading the articles on Zdnet.

Maybe because it affects browsers? The flaw in QT does not really affect the little video player, but rather any Java-enabled browsers.

On a side note: it doesn't take much to tick you off, huh? You must be one of those people with everything having to be put exactly in its place. Like my old Latin teacher.. wait, you're not him, are you? Just curious.

NPGMBR said,
Can someone please explain why this article is prominently displaying the IE logo when this is a Quicktime flaw?

I am really beginning to loose complete and total confidence in Neowin. It's because of this exact reason that I stopped reading the articles on Zdnet.

The flaw isn't with the Quicktime Video player, but the plugin-which affects browsers. We knew it affected Safari. Which is the bigger news to you, that it's a Quicktime problem or that it affects Internet Explorer? Quite obvious.

zachdms said,
Right, but if I'm using Firefox, I may chortle and just skim over the IE-branded article and get owned.... :)

If it had the QT logo, I think I'd skim even faster over it. :P

What I want to know is, who is responsible for fixing this thing - Sun with Java or Apple with Quicktime - or both? I know they call it a "quicktime flaw", but no one (in the journalism field) knows for certain because they can't see the actual exploit. For all we know, if could be a flaw in Java.