Organizers of last calendar week ’s MacBook Pro hack challenge Thursday disputed accounts that the QuickTime exploit that won the $ 10,000 prize was nicked from a wireless web and is now in circulation .
“ Not probably , ” read Dragos Ruiu , one of the CanSecWest and hack contest organizers . “ Everything went over a pumped internet . It was in a locked storage locker , so it would have to have been physically compromise . ”
When enquire about the fortune that the effort could now be in the hand of anyone other than 3com TippingPoint — the company that paid $ 10,000 for the computer code ; its Godhead , Dino Dai Zovi ; and Apple , Ruiu say : “ Slim . ” Dai Zovi ’s exploit for the QuickTime vulnerability is “ very serious , ” security investigator have said . To make matters worse , unconfirmed reports rise up Wednesday that others might have captured the feat while the MacBook Pro was being assail . In a blog introduction , Thomas Ptacek , a research worker at Matasano Security LLC , a New York - based security measure consultancy , say : “ naked packet capture of the successful exploit have been taken by parties unknown . ”
afterward in the day , Ptacek retracted his claim after another CanSecWest organiser posted a comment to the Matasano web log . “ Someone may have reverse - engineered the vulnerability but they did n’t pull it off the connection there , ” wrote someone identified as “ toby . ”
“ The web was very simple : a WAP [ wireless access item ] that was tie in to a hub and to the router to provide net admittance . The Macs sat on the hub and the only other system on there were the single we used to monitor the connection to ensure rules were follow . The WAP was routing traffic from the hub to the Internet , not sending it out over the wireless connection .
“ We were sniffing the traffic on the wireless net and would have noticed if it had been drive traffic from the wired side , ” toby say .
Ruiu confirmed the apparatus . “ Even the guy who start the feat sent it over the wired internet , ” he said .
Throughout Wednesday , Ptacek tried to get the researcher who arrogate to have snared Dai Zovi ’s effort to confirm his findings , but to no avail . On the Information Security betray Out blog , Ptacek asked for details , but the web log writer answered : “ There is no real benefit to me in doing so . I am not one who cares if people conceive my claims or not . ”
That interchange and others led Ptacek to compose on the Matasano land site last nighttime : “ The majority of the ‘ it leaked ! ’ direct in this max opera are not pan out , as luck would have it for all require . ”
Dai Zovi ’s discovery , if or when it does make it into the wild , threatens users of any internet browser that ’s Java enable , TippingPoint has said . Until Apple patches QuickTime , the only sure defense is to disable Java in the browser app .
Apple has not post a localization or allege when it would do so .
