One-year-old QuickTime bug comes back to bite Firefox

One-year-old QuickTime bug comes back to bite Firefox

Summary: A year ago this month, security researcher Petko D. Petkov (left) released details on vulnerabilities in Apple's QuickTime media player to show how movie and MP3 files can be backdoored to hack into Firefox.

SHARE:
TOPICS: Browser
16

One-year-old QuickTime bug comes back to bite FirefoxA year ago this month, security researcher Petko D. Petkov (left) released details on vulnerabilities in Apple's QuickTime media player to show how movie and MP3 files can be backdoored to hack into Firefox.

Apple fixed one of the bugs but the second issue, which allows malicious manipulation of QuickTime Media Link (.qtl) files, remains unpatched and presents a serious danger to Firefox users.

According to Petkov, a U.K.-based penetration testing specialist, the result of this vulnerability can lead to full compromise of the browser and maybe even the underlying operating system.

In a blog entry that includes several proof-of-concept exploits, Petkov said the flaw can be used to install browser backdoors and take control of the underlying OS if the victim is running with administrative privileges.

I attempted to test some of the demo exploits (Firefox 2 on Mac OS X) and got this warning from Firefox:

One-year-old QuickTime bug comes back to bite Firefox

However, on a fully patched Windows XP SP2 machine running Firefox 2, one of the exploits launched calc.exe without warning:

Because QuickTime is installed by default alongside iTunes, Petkov warns that iTunes users are also at risk.

Apple does not respond to queries on individual security issues. So far this year, the company has shipped at least five QuickTime/iTunes security updates but Petkov's one-year-old disclosure is still unpatched.

ALSO SEE:

Serious QuickTime bugs bite Windows Vista, Mac OS X

QuickTime bug brought down MacBook

[ UPDATE: September 13, 2007 at 8:33 AM ] Mozilla security chief Window Snyder has confirmed this is a "very serious issue" for Firefox users. "[We are] working with Apple to keep our users safe and we are also investigating ways to mitigate this more broadly in Firefox.

If Firefox is the default browser when a user plays a malicious media file handled by Quicktime, an attacker can use a vulnerability in Quicktime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in Quicktime. So far this is only reproducible on Windows.

Firefox security response team is working on a fix but there's no explanation as to why it took the two companies a full year to pay attention to Petkov's warnings.

 

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • People are still using Quicktime?

    I don't remember the last time I watched an online video or listened to an MP3 using Quicktime. Is it still popular? If there is a video that you must see that is in Quicktime, couldn't you just copy it to disk, and then open it in standalone mode outside the browser and be safe? Just curious...
    Carrion
    • re: People are still using Quicktime?

      [i]Is it still popular?[/i]

      Yes.

      [i]couldn't you just copy it to disk, and then open it in standalone mode outside the browser and be safe?[/i]

      Probably, if the file is downloadable. However, most non technical users who use Quicktime probably wouldn't know how to do that.
      Badgered
    • Not for long.

      I do still have QT on my Vista machine, but if it doesn't stop nagging me to install iTunes, I won't have it for long. I can't remember the last time I used it, anyway.
      itpro_z
      • Quickime Stinks (stronger words could be used) - borderline "crapware"

        I try not to use it where possible. It installs a self updater and a systray icon. Hate that. I delete it and remove it everytime. It's slow a pig. There are much better alternatives out there.
        ItsTheBottomLine
    • Opening outside the browser...

      ...won't protect you. I the update to the original story, it says:

      <i>This can happen while browsing or by opening a malicious media file directly in Quicktime.</i>
      Greenknight_z
  • Rep and I are in heaven...

    This is music to our ears. For years and years now my rep and I have been waging war via my overt campaign titled "Rotten to the Core". This has been a blatant exercise in getting people out of the "*Pod culture" and used to fine and secure offerings like Windows Media Player and Zune. Whereas Apple is spreading viruses and malware via iTunes, Microsoft has embraced "the social" via the Zune. Just today I went to Starbucks with my rep for lattes and scones and squirted the Baristas with some trial-ware music from Zune. My rep then "accidentally" spilled coffee on one of the patrons who was using a Macbook. When she complained, my rep told her to calm down and gave her a voucher for Vista Ultimate at Best Buy. We then raced off in my rep's Porsche.
    Mike Cox
    • 9.4

      I like the image of you and your rep driving off into the sunset in his porsche.
      BanjoPaterson
    • 8.0

      You lost me when you "spilled coffee" on the MacBook.

      Any Apple fan wouldn't have allowed you to ride off into the sunset, they would have beat you to death with their newly ruined laptop.

      Other than that, very nice. :)
      laura.b
    • 9.2 <nt>

      <nt>
      balaknair
  • No expolit here

    I'm working with QT 7.1.6, FF 2.0.0.6 and Windows 2000. I see no issues on the guys test cases. I will admit that I'm not willing to try the shutdown one, but I never saw calc.exe pop up at all.
    berck
  • Only on my windows box

    I use mplayer in Linux that plays everything but real; which isn't a big loss.
    Suicida|
  • Live Firefox's exploit here

    http://www.milw0rm.com/exploit.php?id=4399
    qmlscycrajg
    • Didn't work - blocked...

      ...and deemed a bad site.
      ItsTheBottomLine
  • Didn't affect me

    1. I don't have QuickTime
    2. I use NoScript, and WRT PDFs I have Javascript disabled in Adobe Reader as a matter of principle.
    bugmenot2
  • Using Firefox 2.0.0.6...

    I just tried the live url for the exploit. Nothing happened. Firefox just ignored it. All I got was a blank page loaded. The page source had the embedded mp3 script, attempting to run calc.exe, but nothing happened.(running XP SP2). Firefox version 2.0.0.6 must have patched the vulnerability.
    zetacon4@...
  • Proof of concept failed here

    Firefox-2.0.0.6 with NoScript on linux.
    JDThompson