The attack successfully used in last week's CanSecWest competition exploits a Java-based flaw in QuickTime and affects all browsers on systems with the multimedia software installed, possibly including Windows, Dino Dai Zovi, who discovered the flaw, told SecurityFocus on Monday.
"Firefox on Windows is considered at risk at this time," said Dai Zovi, who had been cleared by TippingPoint's Zero Day Initiative to discuss certain aspects of the attack. "Safari and Firefox are considered vulnerable on Mac OS."
Security researcher Shane Macaulay used the flaw to compromise a MacBook Pro on Friday at the CanSecWest conference to successfully win one of the two MacBooks offered as a prize. Dai Zovi, who found the flaw used in the attack, will receive a $10,000 bounty offered by TippingPoint, the security division of networking giant 3Com. That figure is in line with the price paid for vulnerability information by TippingPoint in the past, which launched its vulnerability-buying program in 2005.
To be safe, users of both the Mac OS X and Windows should turn off Java, if they have Apple's QuickTime software installed, Dai Zovi said.
UPDATE: The article was updated with additional information about TippingPoint's vulnerability buying program, the Zero Day Initiative.
Posted by: Robert Lemos