Enterprise Newsletter
 
NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 CIO Virtualization
 CIO Mobile
 CIO Security
 CIO Insider
More Newsletters | Edit Profile
 
RSS Feeds »
 
 
LEADERSHIP
 
CIO Executive Programs
The Leader in Face-to-Face Education for Senior Executives

Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »

 
CIO Executive Council
A Peer-Advisory Service and Professional Association for CIOs

Mid-Market CIO Panel: Tips and Techniques for Improving Vendor Relationships

July 15, 4:00 PM - 5:00 PM U.S./Eastern (GMT-4)

We'll highlight relationship priorities and best practices identified in a Council study, and we'll interact with a CIO panel on the approaches they've used to improve strategic vendor partnerships.

Secrets of Successful Vendor Contract Negotiations for the Mid-Market

Sept. 10, 2009, 11:00 AM - 12:00 PM U.S./Eastern (GMT-4)

On this free public Council teleconference, Matthew A. Karlyn, attorney at Foley & Lardner in Boston, will share tips on negotiating tactics and new, creative contract terms to help mid-market CIOs make better deals.

Executive Competencies Assessment Tool

Assess Your Business Leadership Skills with the Council's new benchmarking tool. Rate yourself in change leadership, strategy, customer focus and more.

More / Register »

Learn more about the CIO Executive Council »



 
 
RESOURCE CENTER
 

buy a link »

Ads by TechWords
 
 
SUBSCRIBE TO CIO
 
Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

Subscription Services »
Reprints »

 
 
News Feature
 

QuickTime Bug Still Exploitable, Security Researcher Says

The QuickTime vulnerability that led to a widespread worm outbreak on MySpace.com last month could be exploited again, according to ...

 

January 05, 2007CIO

The QuickTime vulnerability that led to a widespread worm outbreak on MySpace.com last month could be exploited again, according to security researcher Aviv Raff, who has published software that illustrates his point.

Apple Computer issued a temporary patch for the problem last month, but on Wednesday Raff published proof-of-concept code showing how this bug could still be exploited in combination with other malicious software to run unauthorized software on a patched computer.

Apple created its patch after a worm spread through the MySpace community in early December, stealing MySpace log-in credentials and promoting adware websites. But rather than addressing the underlying problem, Apple’s fix appears to simply block the MySpace worm code, Raff said. "Apple’s patch has no effect on this vulnerability," he said via instant message.

Users were infected by the MySpace worm when they played maliciously encoded .mov multimedia files.

The attack demonstrated by Raff is called a cross-zone scripting attack. It circumvents the "zone" security model that is used by Internet Explorer to limit the types of things Web-based software can do on a PC. "It potentially allows an attacker to execute arbitrary code on the user’s machine," Raff said of the vulnerability.

Raff’s proof-of-concept code shows how this cross-zone scripting attack could be used to run code on a Windows 2000 system running the Internet Explorer 6 browser. It was published as part of a monthlong effort to draw attention to security issues in Apple’s products, called the Month of Apple Bugs.

Running malware on a victim’s PC is a two-step process, however, and attackers would also need to exploit a second vulnerability in order to trick the browser into running their code.

Raff’s code exploits a known bug in Microsoft’s Management Console software, which was patched last August. But the attack could also be paired with code that takes advantage of an unpatched Windows vulnerability, making it a far more serious exploit, said Alyssa Myers, a virus research engineer with McAfee. "It seems likely that this sort of thing could be used for a MySpace worm," she said. "Whether that actually ends up happening is anybody’s guess."

When Apple created its QuickTime fix last month, it did not deliver the software directly to QuickTime users, but instead took the unusual step of having MySpace link to the code.

Apple may have decided not to distribute this patch directly because it did not address the underlying problem, said Tim Erlin, risk assessment technology manager with nCircle Network Security. "They didn’t patch the whole thing," he said. "They reacted to the emergence of a worm on MySpace."

 
 
Loading...
 
WHITE PAPERS

The Gartner Magic Quadrant for IT PPM Applications

This report evaluates 19 vendors on their ability to execute and completeness of vision.
 

A Bottleneck-free Infrastructure

Storage bottlenecks have a significant impact on performance and productivity.
 

Investing in Business Analytics Technology

Find the answers to your questions about business anyalytics initiatives.
 

Document-Sharing Solutions

Examine the benefits and challenges that IT executives are facing and how they plan to control the changes.
 

How Can Your Organization Weather This Economic Storm?

IT executives are under intense pressure to cut costs, and that pressure is significantly increased by the current grim economic outlook.
 

Deliver Higher-Performing Technology Services with ITIL

Enable the business and your IT organization to cope with the effects of economic stress.
 

WEBCASTS

Managing Client Systems in the Enterprise

Keeping client systems costs under control is just one of the many initiatives IT must address when trying to manag...
 

Webcast with Dan Vesset: Investing in Business Analytics Technology

What exactly is business analytics and why should you care? Dan Vesset of IDC and Gaurav Verma of SAS answer this a...
 

Enterprise Cloud Computing: Ready for Primetime?

The progression toward enterprise cloud computing is happening today, as industry leaders deploy technologies that ...
 

Preparing Your Business Services for the Future

Would you trust your network monitoring tools enough to know when something is truly halting a business service? Wh...
 

Enterprise System Management Challenges in Big Organizations with Eli Almog

In this Podcast with Eli Almog, Corporate Architect in BMC's CTO Office, discusses how IT managers can know when it...
 

A Down-to-Earth look at Cloud Computing

Is cloud computing going to take over the data center as we know it? Join us as we talk about cloud computing with...
 

Resource Alerts

Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.

 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

Seven Ways ITIL Can Help You in an Economic Downturn

Maximizing the Business Value of the PC Infrastructure

Using Open Source to Deploy Web Applications

How Interactive Viewer Reduces the Effort to Meet Visualization Requirements

White Paper: 8 Key Ingredients to Building an Internal Cloud

Software Executives: Take Control of Your Organization's Code Quality

BPM ROI calculator

Oracle's Application Grid Technical Demo

Next-Generation Application Servers and Infrastructure

Application Infrastructure at Enterprise Organizations

Achieving Business Agility with Application Grid

Craft a Strategy to Lower Your Total Cost of Ownership

A Natural User Interface for Enterprise Applications

On-Demand HR for a Global Organization

Four steps to populate your CMDB.

Delivering Secure and Reliable Data through Spreadsheet Automation

Open Source BI: Inexpensive Solutions for Developers

Gartner Shares Predictions for 2009

64-page prescriptive guide to security, compliance, and IT operations.

Get Google Enterprise Search for your business information.

Accenture IT Consulting: Enabling high performance. More...

Top Five CIO Challenges

Insight makes it easy to spend your Microsoft subsidy check.

Five minute business analytics assessment. Immediate results.

Dangerous Collaboration Practices: 5 Ways IT Can Minimize Risk

Revolutionizing Enterprise Application Deployment

Learn how to managing client systems in the enterprise.

Cloud Computing: Read about VMware's compelling vision & set of products

Top-line Performance that's Bottom-line Efficient

How Open Source is Changing the Face of Enterprise Software

BPM Survey Results: The Real-World Analysis

Ready to Act: 3 Recommendations for Agile Processes

Oracle WebLogic Server Technical Demo

Data Grids and Service-Oriented Architecture

Achieving the Impossible: Unlimited Application Scalability

A Middleware Foundation for Application Grid

Next Generation Enterprise Applications

A Truly Global HCM System

Learn how to provide complete Business Service Management.

Increase ROI of Your Application Portfolio

Financial Institutions Need Rich Internet Applicatons

Forrester: Implementing Rich Internet Applications

"Enterprise-Proven" is the Prerequisite for Enterprise SaaS Portal Solutions

Improve ROI, lower TCO and reduce energy consumption.

Introducing the new HP ProLiant G6 server family

Accenture: Outsourcing for Competitive Advantage. More...

Better spam protection with Postini for just $1/user/mo

Introducing the new HP ProLiant G6 server family

infoBOOM! - The Mid-Sized Company CIO's Exclusive Community

Accenture IT Consulting: Logical meets technological. More . . .