Unpatched QuickTime-to-Firefox flaw dings IE too

Unpatched QuickTime-to-Firefox flaw dings IE too

Summary: Security researcher Aviv Raff has found a way to use the one-year-old (and still unpatched) QuickTime vulnerability to automate XAS (cross application scripting) attacks against users of Microsoft's Internet Explorer.

SHARE:
18

Unpatched Quicktime flaw dings IESecurity researcher Aviv Raff has found a way to use the one-year-old (and still unpatched) QuickTime vulnerability to automate XAS (cross application scripting) attacks against users of Microsoft's Internet Explorer.

To demonstrate the attack scenario, Raff embedded a rigged QuickTime file on Google's BlogSpot to force a Skype shutdown if an IE user is tricked into visiting that Web page. Any limited Web environment that allows embedded QuickTime files can be used to host an attack against IE, Raff said.

This attack uses the same vulnerability disclosed earlier this week by Petko D. Petkov (pdp) that could be used to launch code execution attacks on Windows users if Firefox is set as the default browser.

[ GALLERY: How to run Internet Explorer securely ]

Raff is very familiar with this vulnerability. Earlier this year, during the Month of Apple Bugs project, Raff expanded on Petkov's earlier discovery and published an exploit (MOAB #3) to show how booby-trapped QuickTime files can remotely execute harmful code against Windows users.

Interestingly, Apple patched Raff's MOAB flaw with QuickTime 7.1.5 (even crediting the project in its advisory) but it's now clear that the fix was inadequate. "It wasn't fully fixed," Raff said, noting that QuickTime still allows protocol handlers from external Web sites.

[SEE: One-year-old QuickTime bug comes back to bite Firefox ] Apple does not respond to queries on specific security vulnerabilities.

The company has also been very tardy on supplying a fix for a code execution flaw in its Java runtime implementation. That flaw, rated critical by security experts, was first reported more than 10 months ago.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • Simple solution

    I did install QT on my Vista home computer, mostly out of habit. However, its constant nagging me to install iTunes alone is enough to make me change my mind. This, combined with Apple's total lack of understanding of security issues, leads me to conclude that QT has no place on systems that I manage anymore.

    Solution: Uninstall, and never reinstall.
    itpro_z
    • Or

      Don't use Windows.

      Simple.
      People
      • You might as well say...

        ...give up computers.

        Simple
        itpro_z
        • You may be on to something.

          The mere existence of computers have not made me a more happy person. Quite the
          contrary. Maybe you have something there worth thinking about more.

          I've given up cable and after the initial shock I have found that I'm actually happier
          not having the filth streaming into my living room.
          People
        • Right

          I guess the 22 million Mac users must really feel left out.....you know because they are not using a real computer unless they're using Windows. Heck Linux users must feel the same, what would they do without Windows? ;-)
          dave95.
          • Wow

            Wow, 22 million! I guess us 400,000,000 Windows users just don't have a chance!

            What I actually meant was that as a network administrator, I would be out of a job if I decided to just quite using Windows. Not as simple a choice as it might be for a home user.
            itpro_z
          • as a network administrator, I would be out of a job

            Learn how to use Linux and get a job as a Linux Admin.
            tracy anne
          • Yeah

            I have installed Linux servers for years, going back to SCO Xenix running on 286s. I don't claim to be a Linux Admin, but I don't have any trouble with installing, using, or supporting Linux. We have a few Linux boxes here, but most of our servers are Win2003. On the desktop, though, Windows still dominates, and will continue to do so for some time.
            itpro_z
          • Wasn't it shown that

            macs are vulnerable to this bug earlier this year? As I recall, AFTER the windows patch, someone showed that the mac was vulnerable as well.

            Unless they created a different, and better, solution for OS X, it seems likely this QuickTime vulnerability exists on that platform too.
            notsofast
        • give up computers.

          But why? When there is a excellent computer system, that is not only secure, and immune to things like this Quicktime flaw, and the Skype worm (I know for certain, in both cases, because I made the tests on Mandriva Linux) and well, viruses in general.... and it's Free. Just give up Microsoft Windows, and learn a new way of doing things.
          tracy anne
          • I agree...

            ...except that I run XP at work and Vista at home, and they are also very secure and virus free. Linux is certainly improving, but I doubt that it is quite ready for the masses. If I ever do give up Windows, though, Linux would be my first choice. It at least offers me the same type of hardware options and choices that I am used to with Windows, unlike the Mac environment, where you are locked in to a single source.
            itpro_z
    • Quick Time Alternative

      Check out QuickTime Alternative at:
      http://www.free-codecs.com/download/QuickTime_Alternative.htm

      I believe it's a better player than the original. Just my opinion, though.

      Interested Amateur
      Interested Amateur
  • What? I'm left out again?

    Please add support for Firefox 2.0 on Ubuntu Linux 7.04... http://www.ubuntu.com/
    galileon
    • No you're not.

      I'm using Firefox 2.0 on Ubuntu 7.04 right now.
      Amaroq
  • IE7 is not affected

    Another reason to upgrade to IE7
    qmlscycrajg
    • Sounds simple, but...

      qmlscycrajg wrote:

      [i]Another reason to upgrade to IE7[/i]

      For many people this means buying a newer version of Windows, or a new computer, or both. Although it can be argued that this is a Good Thing, it remains enough of a challenge for many people that it's just not going to happen.
      JDThompson
  • Pie Eaters

    Or Piety. Don't use this or don't use that because
    it has a flaw. Mostly, it's don't use .exe because
    it's a Windows program or .app because it's an
    Apple program. The computer groupies who never
    conceived a line of code in their life have decided
    what's good and what's bad. If you look a bit
    deeper you'll see a lot of bad but it's in their
    prefered system and can be overlooked and
    remain unspoken. The concept of "Mine is better
    than yours." actually means "My buying decision
    and its consequences on my perceived
    intelligence is better than yours." "I'm better than
    you because I bought Windows, or Apple, or Linux
    etc." Some groupies remind me of the sinking ship
    wherein the would be survivor grabs an anchor
    because he knows it's going over the side too but
    beyond that thought, there's nothing.
    trm1945
  • RE: Unpatched QuickTime-to-Firefox flaw dings IE too

    The reason it affects IE, as well as Firefox, it that the vulnerability is in reality a Microsoft Windows vulnerability.

    This so called Quicktime flaw has no affect at all on Linux. In fact I opened all of the test pages, that demonstrate how the vulnerability wors, with Firefox on my Linux box and nothing happened, the payload was not delivered.

    This Quicktime flaw is very like the Skype flaw, which is used to infect Windows computers, with a worm, it requires the poor secueirity model upon which all Windows OSs are built, to work.
    tracy anne