updated 10:25 pm EDT, Mon June 1, 2009
QuickTime fixes hacker bug
The QuickTime 7.6.2 update, released on Monday, allegedly addresses a security vulnerability that was partially described in "The Mac Hacker's Handbook," according to PCWorld. Apple usually succeeds in addressing bugs before they are made public, although the book written by Charlie Miller and Dino Dai Zovi provided many of the details surrounding an issue with the way QuickTime reads files compressed using the JP2 format.
Miller included instructions for finding flaws in Apple's software. He has been credited with disclosing a number of bugs fixed in separate Apple security updates, while also winning the Pwn2Own contest by hacking a MacBook in just seconds.
"If you followed all the steps you would find ... the bug," Miller said. "I didn't show the bug, but I gave the recipe for how to find it."
Apple's security team approached Miller at the CanSecWest conference in March, where he then provided the exploit code. Another hacker, Damian Put, sold a variant of the bug to TippingPoint, although it is unclear if he first learned of the issue through the handbook.
In an interview following the Pwn2Own win, Miller suggested that Macs are less secure than PCs. He still recommends Macs for typical users, however, as a significantly larger amount of Malware targets Windows systems.