Mac OS X Hacking Poses Wide Risk… for Windows

The public hacking of a MacBook Pro in a contest at the CanSecWest /2007/ security conference in Vancouver poses a wide risk that expands to users outside of the Apple platform. This is the conclusion put forward by two research VPs from Gartner. Rich Mogull and Greg Young opined that the uncovering of a zero-day vulnerability in the Apple QuickTime media player that ships by default with Mac OS X, but that is also available as a plug-in for Windows, was not beneficial in the least, calling it an “incident (that) highlights the danger of vulnerability research conducted in public.”

“Upon further investigation, researchers found that the vulnerability lies within an application programming interface (API) that QuickTime exposes to Java applets (code run in Web browsers). The sheer breadth of systems and browsers that potentially could be affected means that this could be a serious browser vulnerability. No single safeguard can guarantee complete protection,” Mogull and Young stated.

The two Gartner analysts ignore the fact that there have been no attacks or exploits related to the QuickTime vulnerability, and they simply assume potential risk. Although there have been reports that the original exploit of Dino Dai Zovi could have been captured, such scenarios were not confirmed. Furthermore, the information available about the vulnerability is too scarce to allow for reverse engineering.

This however, failed to stop Gartner from condemning public contests for vulnerabilities. Gartner has a unique and illogic perspective over vulnerability disclosures. The firm proposes that all public vulnerability marketing events should be put to an end because of potential unanticipated consequences that could endanger the users.

Microsoft has also adopted a similar position, applauding the responsible approach to disclosing vulnerabilities, and stated numerous times that it would not set in place an infrastructure to reward the identification of security flaws.

“Public vulnerability research and “hacking contests” are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcement. Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities,” Mogull and Young added.

Still, an informed user is also a protected user. The Apple QuickTime flaw puts every Window user with a Java enabled browser at risk. Informing the customers of the existence of the flaw, along with mitigation methods, is also an example of responsibility but this time towards the end-user and not to the vendor.