QuickTime Vulnerability

Posted: Friday, September 14, 2007 by El Guru in Blogs, CyberNet, Firefox, Fx 1.5, Fx 2.0, Fx 3.0, IE, Mozilla News, Windows

From Mozilla Links

GNUCITIZEN, a “creative hacker organization”, has disclosed details on a severe security vulnerability affecting Firefox users that have installed the QuickTime plugin on Windows or Mac OS X, which at a minimum includes all iTunes users.

The vulnerability is based on QuickTime Media Link files (.qtl), simple XML files that include details about the media file to be played (like an .avi, .mov or .mp3) and other settings. However one of these parameters, qtnext, allows the publisher to specify a URL (web address) to be displayed when the media file ends. The URL could be a JavaScript instruction like those used in thousands of web pages and services currently.

To this point there is no problem. But Firefox itself is controlled through JavaScript code and libraries in an isolated environment that separates it from web pages code. The QuickTime plugin however can access the Firefox code just as any other object and manipulate it to run any application in an attacked computer.

To make things worse, the QTL files can be renamed as .mp3, .mpg, .avi or any of a couple of dozen file formats QuickTime supports and it will handle them properly, easing the scenario for possible attacks.

The test cases posted by GNUCITIZEN are really scary: click on an mp3 and the QuickTime plugin tries to load the file which doesn’t exist so it quickly completes and launches Windows Calculator. But it could be any application with any parameter.

The article goes on to recommend the removal of QuickTime from your system. However for me that is not something I really want to do. Oddly enough I do use QuickTime quite frequently. A blog I frequent uses QuickTime videos and my internet based answering service uses QuickTime for the messages (although I could choose to download them as MP3). Further it is important to understand that is a QuickTime issue and it is NOT just isolated to Firefox and Windows. It also affects IE (but not as severely) and even the immortal Macs.

While bug 395942 was caught early enough that it could be patched in Firefox 2.0.0.7, what is one suppose to do in the mean time? You can go thru the process of removing QuickTime wait for new versions of Firefox and QuickTime and then reinstall. But there is a batter option, thanks to our friends on the CyberNet Forum. Turns out the NoScript extension will protect your from this vulnerability.

News Sources:

Comments
  1. […] According to the Firefox:2.0.0.7:Test Plan, Fx 2.0.0.7 is going to be a security fix for the QuickTime Vulnerability. This update/security release could be out later today. Everything else that is planned for the Fx […]

  2. […] 2.0.0.7 – Fire Drill (Security) release to address the QuickTime Vulnerability. Should be out later today or on Tuesday […]

  3. […] , Mozilla Firefox , Mozilla News Fx 2.0.0.7 is a Fire Drill (Security) release to address the QuickTime Vulnerability. Currently it has not been pushed out to the ‘GetFirefox‘ page or into the auto updates […]

  4. […] released version 2.0.0.7 as a Fire Drill (Security) release. This security release addresses a severe vulnerability to Firefox for Windows & Mac users who have installed the Quicktime plugin, at minimum all […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s