The security flaw used to breach a MacBook in a hack-a-Mac competition last week also affects Internet Explorer on Windows PCs, according to TippingPoint.
Initially, the flaw was thought to be exploitable only through Apple's Safari and Mozilla's Firefox Web browsers on both Macs and Windows PCs. Researchers at TippingPoint have now determined that the bug, which lies in Apple's QuickTime media player, also impacts Internet Explorer on Windows.
"New facts have emerged," Terri Forslof, manager of security response at TippingPoint, said in a statement Wednesday. "We have now verified that this issue affects both Windows and Mac operating systems, including Windows Vista through Internet Explorer."
Any Web browser that supports Java and has QuickTime installed is affected by this issue, according to TippingPoint. An attacker could exploit the flaw by luring a victim to a malicious Web site.
Further details on the flaw are being kept confidential until Apple patches it. TippingPoint, which sells intrusion prevention systems, had offered a $10,000 prize for a Mac zero-day vulnerability as part of the "PWN to Own" hack-a-Mac contest at the CanSecWest conference in Vancouver, B.C.
Disabling Java in a browser shields a computer against attacks that exploit the flaw, Dino Dai Zovi, who found the flaw, has said. Macs are vulnerable by default because Apple ships QuickTime with the operating system. Windows users are only vulnerable if QuickTime is installed.
In Vista, IE7 can run under its Protected Mode which, in theory, will prevent any COM/ActiveX component it hosts from doing any vice by running them under highly unprivileged criteria regardless of their preferences. It'll be interesting to know if this security flaw still poses any threat with Protected Mode enabled.