From the ‘pay for bugs‘ files:
Apple is out with QuickTime 7.6.2 patching at least 10 security issues, six of which were credited to Tipping Points Zero Day Initiative (ZDI) which pays security researcher for their bug finds.
Among the critical issues patched by Apple is one discovered by noted security researcher Charlie Miller (who sold the vulnerability to ZDI). Miller has successfully hacked Macs and iPhones at PWN2OWN and Black Hat events in the past.
Miller reported an issue where the simple act of viewing a malicious crafted image could lead to arbitrary code execution.
Many of the issue patched by Apple in the 7.6.2 update are related to heap buffer overflow conditions, which when violated enable an attacker to execute code. The fix for Apple in most cases is to implement more bounds checking to ensure that overflows don’t occur and that when they do code can’t be arbitrarily executed.
Apple’s QuickTime was patched earlier this year for seven different issues. Over the course of 2008, security researchers repeatedly found multiple vulnerabilities in QuickTime.
With so many of the flaw in this update being reported by way of a single reporting group, I think it clearly shows the value of the ZDI model. If you pay for security research, then results will follow. Had ZDI not paid for these flaw, I think there could have been more potential for these issues to have been legitimate zero day issues in the wild that put millions of users at risk. ZDI keeps the vulnerabilities private and doesn’t release them, providing Apple and its users with what I consider to be an invaluable service.