The general consensus of the comments are that both applications contribute the the exploit. Firefox is the attack vector and fails to validate the malicious code but Microsoft contributes by not properly passing quotes to the command line. You need to visit a malicious website using IE in order to trigger the exploit.

In a response to a user comment Thor Larholm responded:

… Firefox is the current attack vector but Internet Explorer is to blame for not escaping ” (quote) characters when passing on the input to the command line. I agree that Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications safely.

What I find interesting is the complexity of the requirements leading to the exploit. Neither product is vulnerable alone since both must be installed and both products have a flaw that contributes to the vulnerability.

One of the Macs was hacked on the second day, which made headlines (in the types of publications that care about such things). The headlines tended to be slanted in one of two directions. Some emphasized that Mac security was breached and equated it to the worst windows vulnerabilities. They left out the details. On the other side the articles were slanted towards the fact that the breach only occurred after the rules were relaxed and that the breach didn’t get root access. This was true and more detailed than the sensational headlines in the first category, but they tended to imply the breach was meaningless.

The facts are:

• The Mac was breached when it visited a malicious website
• The vulnerability is in Quicktime (Initial reports that it was a vulnerability in Safari were wrong.)
• Both Firefox and Safari could be used to deliver the vulnerability
• Windows is also considered vulnerable (if it has Quicktime)
• The vulnerability was found by a security researcher and the exploit was actually delivered by a friend of his. The friend is keeping the MacBook, the researcher is applying for the $10,000 bounty offered by TippingPoint.
• A second Mac, which required a hacker to get root/administrator level access and did not surf the web was not breached.

What does this all mean, if anything?

Starting at the top, it was necessary to visit a website to be breached. The OS used doesn’t affect whether or not a person visits a website. So social engineering is universally available to every OS with a web browser. (I’ll avoid the path which talks about which OS has “smarter” users.) The best that can be said is that since there’s more windows users they’re more likely to be affected if the vulnerability is OS specific. But do exploits have to be OS specific?

The vulnerability was in Quicktime which is essentially a third party app. I don’t say this to claim OS X wasn’t hacked. Apple created Quicktime and delivers it with every new Mac. Apple is responsible for it and for updating it. But Quicktime is essentially a 3rd party app made by the same company as the OS so it’s bundled. The vulnerability is also thought to exist in the Windows version (for obvious reasons the exact details of the vulnerability aren’t public). The Macromedia (now Adobe) Flash Player is another 3rd party web-helper app that has had vulnerabilities in the past. OS venders can’t prevent vulnerabilities in 3rd party apps, the most they can do is mitigate their effect.

Both Firefox and Safari could be used to run the exploit. This isn’t surprising since the vulnerability was in Quicktime. But it does mean any modern browser could probably be used.

Windows, with Quicktime, is also vulernable (or it’s thought to be). By exploiting a vulnerbility in a third party app it’s possible to exploit multiple OS’s. The greatest number of PCs are still Windows so the payload delivered by the exploit might be Windows only if the hacker is lazy or just wants the biggest bang. But it’s not difficult to determine the OS used so it would be trivial to deliver an OS specific exploit for various OS’s through the same exploit. It’s just a matter of writing each exploit.

The exploit was found as part of a contest with a prize of a Macbook and was submitted for a $10K prize. Year’s ago it might have been enough to be able to claim bragging rights. Now money is a prime motivator. Money motivates hacking for both good (bounties, paychecks) and for bad (sell spam distribution, steal passwords). An OS will be targeted when the financial rewards justify the efforts.

Root level access was not obtained, “only” user level access. While this may be the best a current OS can do when a 3rd party app is hacked it still does not mean we aren’t at risk. Programs installed into the user’s folders do not require a password to install and run. As Windows PCs become more secure hackers may have to learn to live with user-level hacks in the Windows world. Since that world is so large there’s a bigger financial reward for success. Once the lessons are learned there they will be trivial (low cost) to transfer to the OS X world. So while OS X may have a smaller user base (and therefore reward) the cost to hack OS X will also drop. Most of what hacker’s want is available though user level access, just easier when you can own the machine as an administrator. It just means you need to be signed on (unless they find a way around that) but many PCs and Macs use auto logons and most PCs stay always logged on when ever they are turned on.

Of course, the old unavoidable hacks persist as evidenced by the recent animated cursor exploit for which we were defenseless for awhile and could be exploited without us having to click anything (although receiving an email or going to a website were still required). But their numbers are decreasing.

I wouldn’t be surprised to learn that a PC installed with Vista (latest patches, additional software or settings) would be as secure as OS X. But what will bite Microsoft is that they don’t control the installations, the resellers do. Since tight security means more support calls (which go to the vendor, not to Microsoft) I wouldn’t be surprised to learn that what’s actually shipping is not as secure as it should be.

The best protection Mac users have is that there’s an extremely large population of vulnerable Windows machines out there and exploiting them is easy. In Windows XP Service Pack 2 Microsoft turned on the firewall by default. This made it much harder to just scan the internet looking for open ports to exploit and deliver a payload. This brought a drop in the spread of viruses through that method but an increase in other methods such as email and malicious websites. These are methods which require a user to take action (again, with some exceptions when a vulnerability can be exploited to bypass user action). With the firewall change the hackers changed their tactics to other profitable methods. I won’t be surprised to learn that web based attacks are becoming more sophisticated and will use cross-platform applications to exploit multiple OS. And as more applications work cross platform we’ll probably see more multiple OS aware attacks through their data files.

The good news is that Mac OS X has good security and Microsoft Windows is getting more secure as Microsoft learns it’s lessons. Us humans are now being targeted as the weak link but we do have control over where we browse and what email we open. The bad news is that there are still software vulnerabilities so that even the most careful of us are still at risk, although less risk than before.

The point isn’t which is more secure, OS X or Linux. The point is whether or not your computing habits and the software you use are secure. If they aren’t secure then no matter which OS you use it’s only a matter of time before you have problems.

News.com has a good story about the hack that emphasizes the details instead of the hype.

The only real protection from this vulnerability would be for Microsoft to release a patch. The next “patch Tuesday” is April 10th. [Updated 4/2: Microsoft has said they will release a patch on Tuesday 4/3]

There’s also a significant impact within e-mail. The microsoft security bulliten mentions e-mail as a method to exploit the vulnerabilty.

What might an attacker use this function to do?
An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.

Even previewing the mail message in an preview pane could infect the machine. (See below for exceptions to this)

Microsofts recommendation for e-mail is: 

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. 

• Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector. Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.

Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.

Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability. Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:

• The changes are applied to the preview pane and to open messages.

• Pictures become attachments so that they are not lost.

• Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

Microsoft makes the usual recommendations of not reading e-mail from a source you don’t know. But addresses can be spoofed or faked so any vulnerabity like this (where just viewing the message could infect the pc is a problem). Turnng off the preview pane will prevent accidents. There’s really isn’t any protection until Microsoft releases a patch.

Here’s a video of what happens when the vulnerability is used for a DoS attack on a PC (video via UneasySilence):