Dark Reading

The Month of Apple Bugs (MOAB) kicked off this week with a new and potentially critical bug in Apple's popular QuickTime application that affects both Mac OS X and Windows users. (See An Apple (Bug) a Day.)

LMH, who heads up the MOAB research project, released an OS X-based exploit for the bug and says he may also unleash one for Windows. The vulnerability in QuickTime's URL handler lets an attacker execute a stack-based buffer overflow, which would then allow them to run arbitrary code on the victim's machine. And when combined with another flaw, the attacker can "own" the machine, according to LMH.

Meanwhile, researcher HD Moore says a Metasploit contributor has built a Metasploit 3 module for the Windows version of the exploit. "Just about everyone has to install QuickTime at some point, and since the bug applies to the Windows version as well, it's just as critical as an Office or browser bug."

The QuickTime vulnerability is trivial to exploit, says David Maynor, CTO of Errata Security. "This is one of the most dangerous bugs in Apple I have ever seen. The debate about if this bug is real and exploitable has pretty much been made null and void by the exploit being released," he says. "Apple users should worry a lot."

But not all researchers are enamored of MOAB's work, especially since it does not alert Apple in advance of a bug or exploit. Thomas Ptacek, a researcher with Matasano Security, says there's a growing consensus among the research community that the month-of-bugs approach is no longer effective.

"It is impossible to argue that you're working to improve security if you spring vulnerabilities on vendors, with exploits, via a blog post," says Ptacek. He notes that the original Month of Browser Bugs (MOBB) made sense because it shed light on how browser security was ignored.

"The MOBB thing was a 'shock and awe' move designed to highlight the fact that people were ignoring browser security, and people sort of were ignoring browser security," he says. "But be serious -- nobody is ignoring Apple security and nobody is ignoring kernel security."

MOBB creator Moore says he believes the MOAB is raising Apple security awareness. "[It] seems to be the answer to a ton of denial and hubris about whether Apple products are more secure than any other vendor."

Meanwhile, the QuickTime bug is in Version 7.1.3, Player Version 7.1.3, but the MOAB site says older versions are likely vulnerable as well. How can you protect yourself from this QuickTime bug? Uninstall QuickTime and de-activate the rstp://URL handler, LMH says, and don't trust any QTL files, or use Mozilla's Firefox browser.

— Kelly Jackson Higgins, Senior Editor, Dark Reading