I don’t think that anyone likes to hear about security-related bugs because they can get you all worked up. This new bug, however, is the very critical one found by Dino Dai Zovi at the recent Mac Hacking contest. It affects almost anyone that has QuickTime installed, on both Mac OS X and Windows, which is just about everyone with an iPod.
Secunia tracks vulnerabilities very closely, and according to them the bug affects both Firefox and Safari on Macs. Another researcher said that this also affects Windows Vista through IE7, and probably any Java-enabled browser that also has the QuickTime Java extension installed.
The bug can compromise a user’s computer by simply visiting a malicious website. The temporary work around for this is simple…disable Java. I’m sure Apple is scrambling to get an update issued for QuickTime due to the bug’s widespread and cross-platform nature, but disabling Java is the best way to keep yourself safe at this time.
Dino, the person who found the flaw, also said in an interview by MacWorld that Vista is more secure than the Mac OS X operating system:
I have found the code quality, at least in terms of security, to be much better overall in Vista than Mac OS X 10.4. It is obvious from observing affected components in security patches that Microsoft’s Security Development Lifecycle (SDL) has resulted in fewer vulnerabilities in newly-written code. I hope that more software vendors follow their lead in developing proactive software security development methodologies.
Thanks for the tip CoryC!