I don’t think that anyone likes to hear about security-related bugs because they can get you all worked up. This new bug, however, is the very critical one found by Dino Dai Zovi at the recent Mac Hacking contest. It affects almost anyone that has QuickTime installed, on both Mac OS X and Windows, which is just about everyone with an iPod.
Secunia tracks vulnerabilities very closely, and according to them the bug affects both Firefox and Safari on Macs. Another researcher said that this also affects Windows Vista through IE7, and probably any Java-enabled browser that also has the QuickTime Java extension installed.
The bug can compromise a user’s computer by simply visiting a malicious website. The temporary work around for this is simple…disable Java. I’m sure Apple is scrambling to get an update issued for QuickTime due to the bug’s widespread and cross-platform nature, but disabling Java is the best way to keep yourself safe at this time.
Dino, the person who found the flaw, also said in an interview by MacWorld that Vista is more secure than the Mac OS X operating system:
I have found the code quality, at least in terms of security, to be much better overall in Vista than Mac OS X 10.4. It is obvious from observing affected components in security patches that Microsoft’s Security Development Lifecycle (SDL) has resulted in fewer vulnerabilities in newly-written code. I hope that more software vendors follow their lead in developing proactive software security development methodologies.
Thanks for the tip CoryC!
I don’t have Quicktime or Java (eew) enabled, so I guess I’m safe
Good news then actually. I have Quicktime, Alternative actually, and love it. I know lots of people hate it, but I’m a movie buff and Quicktime is by far the best format for the highest quality movie trailers. I have Java installed only because one single program I use requires it, and always keep the ‘enable java’ option in Firefox unchecked until I actually need it for something, which is never, and turn it back on for a while. So good news since Java is always turned off in my Firefox.
Not only iPods, but the Creative Zen Vision players are also affected because their Zencast software needs Quicktime to convert downloaded podcasts.
I always keep Java disabled in my browser as well. It is annoying when I have to wait for Java to start on my computer in order for it to work in the browser. I think they need to take some tips from the Adobe Flash developers who know how to do things right.
Good to know…at least Apple now has a bug fix out for QuickTime so that too many of these users won’t have to worry about it.