The contest, held as part of last week’s CanSecWest security conference in Vancouver, put a pair of MacBook Pro notebooks updated with the latest security patches on the ropes. The battle was won by Dino Di Zovie, who sent a URL including an exploit to a friend who was attending the conference: Shane Macaulay. Di Zovie won the $ 10,000 prize offered by the Zero Day Initiative, while Macaulay got a MacBook Pro.
Sean Comeau, one of the organizers of CanSecWest indicated that the bug was in Safarsi, the Web browser included with Mac OS X, but researchers from Matasano Security LLC, a New York-based consultancy, have indicated that the bug was actually found in QuickTime.
Ptacek has confirmed that both Mozilla’s Safari and Firefox can be attacked using the QuickTime bug. Matasano has indicated that it assumes the Firefox vulnerability on Windows PCs as long as the QuickTime plug-in is installed. On the other hand, if as the group has indicated, any Java browser can be attacked as long as QuickTime is installed, then Internet Explorer users would also be included in the risk group.
According to Ptacek, “Disabling Java stops the vulnerability.”
QuickTime has already presented several vulnerabilities, being patched for the last time in mid-March. It previously also received another update in January to close a hole found by the Month of Apple Bugs project.