Hacking contest yields QuickTime exploit

A researcher took just nine hours to find a flaw in Apple's QuickTime

A security researcher has claimed a $10,000 bounty by crafting a security exploit that targets Apple's QuickTime software. 

The exploit was demonstrated on a fully-patched Mac OS 10.4.9 system running Apple's Safari browser.

Both the Mac and PC versions of Firefox have been confirmed as susceptible to the attack, but early tests suggest that Microsoft's Internet Explorer could not be used as an avenue for attack.

Independent researcher Dino Dai Zovi crafted the attack, which uses JavaScript code embedded in a web page. When executed, the exploit provides the attacker with access to the machine under the user's account privileges.

"You can steal cookies, you can steal browser cache, you can install malware. It is definitely serious," said independent security researcher Tom Ferris. 

Users can defend against the vulnerability by disabling Java within the browser or by removing the QTJava.jar extension.

Dai Zovi wrote the exploit for a contest at the CanSecWest conference in which researchers were challenged to break into a pair of fully-patched MacBook Pro laptops. 

A successful exploit wins the researcher the target machine and a $10,000 reward from Tipping Point's Zero Day Initiative.

The process of finding the vulnerability and writing the attack took Dai Zovi just nine hours.

"I began looking for a browser-based vulnerability around 10pm on Thursday night, had found one by around 3am, and had written a reliably working exploit by 7am," he told vnunet.com in an email interview.

As part of the contract for collecting the reward, Dai Zovi agreed to hand over the handling and development rights to the vulnerability to Tipping Point.

The company then immediately contacted Apple to report the flaw and added a fix to its own security software.

Apple did not return a request for comment. The company has a policy of not confirming or discussing vulnerabilities until after a fix has been issued.