QuickTime offers hackers a peep show [Update]
A weak point in Apple's QuickTime media player for Mac OS X can be exploited to have Java applets read out parts of screen content. Attackers might be able to use manipulated web content to gain access to sensitive user information. The vendor describes this problem on its support website and has already provided a patch for Mac OS X 10.4.8 on Intel and PowerPC via its automatic update system.
The hole in the media player's Java components is only a problem when running with the Mac OS X Quartz composite manager. QuickTime installations on other operating systems are therefore not affected. However, users of Mac OS X are advised to install the update without unnecessary delay.
Update:
MacNews.de has reported a demo exploit that shows the effects of the weak point. On one of the publisher's web sites, the Java applet activated the iSight camera – as indicated by the green light – and sent the camera image read out through the security hole back to the web server.
Also see:
- About Security Update 2006-008, information on the Quicktime hole from Apple
(ehe)