Apple Bug-Tracking Project Releases QuickTime Exploit
01/02/07 3:09 PM PT
Security researchers are reviewing the first flaw in what is being dubbed the "Month of Apple Bugs" (MOAB), a project designed to improve the Mac by uncovering security flaws in Apple software and third-party applications developed for Mac OS X. The project aims to release a new vulnerability each day during the month of January.
As with its 2006 predecessors that targeted browsers and kernels, the Month of Apple Bugs project is expected to identify a new vulnerability each day during the month of January. The project kicked off Tuesday by exposing a simple vulnerability in Apple's QuickTime application, a program that allows users to capture, watch and share videos with friends.
The issue has been successfully exploited in QuickTime Version 7.1.3, accord to the MOAB Web site. Previous versions should be vulnerable as well, according to MOAB project leaders. Both Windows and Mac OS X versions are affected. Project leaders described the vulnerability as "trivial" to exploit and, as a demonstration, published code displaying "Happy New Year" on systems running QuickTime.
Apple could not immediately be reached for comment.
"Based on the first bug and earlier comments, it appears that working proof-of-concept exploit code will be released with at least some of the bugs. Given the lack of patches for these issues, these bugs could be used for targeted attacks of malicious code," said Michael Sutton, security evangelist at SPI Dynamics.
The project leaders deny that MOAB is intended as any kind of plot to discredit the computer maker. "Getting problems solved makes [using OS X] a bit more safe each day," they wrote on the MOAB Web site. "Flaws exist with and without people disclosing them. If we wanted to make [a] business out of this, we would be selling the issues and the proper exploit for each one."
No Advance Warning
Apple will not receive notification prior to the release of most advisories, they added, explaining, "the problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time -- even when the fix should be trivial."
In light of MOAB's intent, Sutton expects Apple will scramble to release some software patches.
Historically, Apple has not been the target of security researchers. "With its recent move to the Intel platform and increasing popularity, Apple should expect to come under greater scrutiny," Sutton concluded.