Apple fixes Quicktime security flaws
In an update yesterday, Apple fixed one iTunes bug and patched ten security flaws in Quicktime, one of which had been hidden in plain sight in a hackers book published earlier this year.
As far as is known, most of the security flaws that were fixed in this update were unknown before the update was issued. All of the flaws affect both Mac and Windows versions of the products. One of them, however was hidden in plain sight by Charlie Miller and Dino Dai Zovi’s in a book titled The Mac Hacker’s Handbook, which was released in March of this year. There does not appear to be any evidence that anyone found this clue or used the associated exploit.
Miller, who won one of the prizes for successful security exploits at the CanSecWest conference in March, said during a conference session that he had hidden instructions for finding a security flaw in his book, according to a PC World story. When members of Apple’s security later team spoke with him at the conference to ask about the flaw, he gave them the exploit code that he had been talking about, according to a recent statement.
Miller granted an interview Monday, in which he said he placed instructions for finding the security flaw in a section of the book that describes, in general, how to find security flaws in Apple software. Specifically, he said, “If you followed all the steps you would find … the bug. I didn’t show the bug, but I gave the recipe for how to find it.”
It turns out that the same bug was found independently by a “security researcher” named Damien Put. Rather than hide his knowledge of the flaw in a book, Put sold his knowledge to the TippingPoint division of 3Com, who then reported the flaw to Apple. Apple later informed 3Com that they already knew about the flaw.
The relationships among hackers, security companies, and OS/application publishers always seems a little incestuous. Since there is often no exploit in the wild that can be associated with the security flaws found, it seems like the only dangerous people in the mix are those hackers that are selling their discoveries to the interested parties.
If they are the only ones finding the flaws, and if they do it for profit, are we more or less at risk because of them? If no one paid them, would these hackers exploit the flaws themselves? If so, should that be construed as a form of blackmail, or as taking advantage of a truly unique skillset? The ethics surrounding this entire small (in) security world are very muddy indeed.
Related Posts:
