Third 'Apple Bug' seems familiar

Stephen Withers
Thursday, 04 January 2007 09:16

Your IT - Home IT

The third instalment of the Month of Apple Bugs is less impressive than the first two, since it is apparently just a new way of exploiting a known vulnerability in QuickTime (as previously used by the MySpace XSS QuickTime worm).

The disclosure page does not indicate whether the Mac OS X version of QuickTime is affected as well as the one for Windows, and the proof of concept appears to rely on other Windows vulnerabilities. Furthermore, the exploit is described as a "cross-zone scripting attack," which is a Windows concept.

That shouldn't be taken as a claim that the QuickTime for Mac is 'safe' in this respect, but since the motivation for MoAB is said to be that "We like to play with OS X," we would have expected a Mac-based proof of concept.

Given that the QuickTime's ability to execute JavaScript contained within a movie's HREFTrack is an explicit feature (eg, to open a browser window with particular dimensions at a certain point in the movie), it isn't obvious how this issue could be best addressed within QuickTime.