One-year-old QuickTime bug comes back to bite Firefox

Summary:A year ago this month, security researcher Petko D. Petkov (left) released details on vulnerabilities in Apple's QuickTime media player to show how movie and MP3 files can be backdoored to hack into Firefox.

One-year-old QuickTime bug comes back to bite Firefox
A year ago this month, security researcher Petko D. Petkov (left) released details on vulnerabilities in Apple's QuickTime media player to show how movie and MP3 files can be backdoored to hack into Firefox.

Apple fixed one of the bugs but the second issue, which allows malicious manipulation of QuickTime Media Link (.qtl) files, remains unpatched and presents a serious danger to Firefox users.

According to Petkov, a U.K.-based penetration testing specialist, the result of this vulnerability can lead to full compromise of the browser and maybe even the underlying operating system.

In a blog entry that includes several proof-of-concept exploits, Petkov said the flaw can be used to install browser backdoors and take control of the underlying OS if the victim is running with administrative privileges.

I attempted to test some of the demo exploits (Firefox 2 on Mac OS X) and got this warning from Firefox:

One-year-old QuickTime bug comes back to bite Firefox

However, on a fully patched Windows XP SP2 machine running Firefox 2, one of the exploits launched calc.exe without warning:

Because QuickTime is installed by default alongside iTunes, Petkov warns that iTunes users are also at risk.

Apple does not respond to queries on individual security issues. So far this year, the company has shipped at least five QuickTime/iTunes security updates but Petkov's one-year-old disclosure is still unpatched.

ALSO SEE:

Serious QuickTime bugs bite Windows Vista, Mac OS X

QuickTime bug brought down MacBook

[ UPDATE: September 13, 2007 at 8:33 AM ] Mozilla security chief Window Snyder has confirmed this is a "very serious issue" for Firefox users. "[We are] working with Apple to keep our users safe and we are also investigating ways to mitigate this more broadly in Firefox.

If Firefox is the default browser when a user plays a malicious media file handled by Quicktime, an attacker can use a vulnerability in Quicktime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in Quicktime. So far this is only reproducible on Windows.

Firefox security response team is working on a fix but there's no explanation as to why it took the two companies a full year to pay attention to Petkov's warnings.

 

Topics: Browser

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.