Last week, a contest was held to find a serious vulnerability in a pair of Apple MacBook Pros that allowed the attacker to gain full control of the systems. While only half of the goals that were first required by the contest were met, the hackers were able to gain some privileges on the systems.

It was first believed the vulnerability existed in the Safari web browser but it has now been learned that the vulnerability is actually in Java’s handling in QuickTime:

“Dino’s finding targets Java handling in QuickTime,” said Matasano researcher Thomas Ptacek on the group’s blog. “Any Java-enabled browser is a viable attack vector, if QuickTime is installed. Apple’s vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third-party vulnerability.”

Ptacek confirmed that both Safari and Mozilla Corp.’s Firefox can be exploited through the new QuickTime bug. Matasano also said it assumes that Firefox is vulnerable on Windows PCs if QuickTime’s plug-in is installed. If, as the group said, any Java-enabled browser can be exploited if QuickTime is installed, that would also place Microsoft’s Internet Explorer users in the at-risk group.

As of this writing, the exploit code remains private, however users should disable Java if they have QuickTime installed. Or use NoScript with Firefox and only enable Java on trusted web sites.

[QuickTime the culprit in Mac hack; Windows may also be at risk]

[tags]QuickTime, Java, mac, mac os x, apple, windows, microsoft windows, security[/tags]