Explaining the Quartz Composer / QuickTime for Java Security Hole

Chris Adamson has written an outstanding explanation, complete with demo code, of the Quartz Composer / QuickTime for Java security hole addressed by Apple’s Security Update 2006-008.

In a nut: the trick that allows a self-contained QuickTime movie to display live footage from your iSight is and always was safe (the footage never goes over the wire back to the server); it was the combination of that same trick with the QuickTime for Java APIs that allowed the footage to go back to the server, and that hole is now closed.

Friday, 22 December 2006