A year ago this month, security researcher Petko D. Petkov (left) released details on vulnerabilities in Apple's QuickTime media player to show how movie and MP3 files can be backdoored to hack into Firefox.
Apple fixed one of the bugs but the second issue, which allows malicious manipulation of QuickTime Media Link (.qtl) files, remains unpatched and presents a serious danger to Firefox users.
According to Petkov, a U.K.-based penetration testing specialist, the result of this vulnerability can lead to full compromise of the browser and maybe even the underlying operating system.
In a blog entry that includes several proof-of-concept exploits, Petkov said the flaw can be used to install browser backdoors and take control of the underlying OS if the victim is running with administrative privileges.
I attempted to test some of the demo exploits (Firefox 2 on Mac OS X) and got this warning from Firefox:
However, on a fully patched Windows XP SP2 machine running Firefox 2, one of the exploits launched calc.exe without warning:
Because QuickTime is installed by default alongside iTunes, Petkov warns that iTunes users are also at risk.
Apple does not respond to queries on individual security issues. So far this year, the company has shipped at least five QuickTime/iTunes security updates but Petkov's one-year-old disclosure is still unpatched.
[ UPDATE: September 13, 2007 at 8:33 AM ] Mozilla security chief Window Snyder has confirmed this is a "very serious issue" for Firefox users. "[We are] working with Apple to keep our users safe and we are also investigating ways to mitigate this more broadly in Firefox.
If Firefox is the default browser when a user plays a malicious media file handled by Quicktime, an attacker can use a vulnerability in Quicktime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in Quicktime. So far this is only reproducible on Windows.
Firefox security response team is working on a fix but there's no explanation as to why it took the two companies a full year to pay attention to Petkov's warnings.