QuickTime-Java 'attack vector' reported: now can affect all browsers

Nist.org's Network Information Security and Technology's Network Information Security & Technology News reported earlier this week about some  incompatibilities between Apple's Quicktime player (shown above) and Apple's Safari browser.

But that's not all. 

The latest about this bug is that the QT incompatibilities are not limited to Safari, but to Windows OS browsers as well.

NIST says the Quicktime bug seems to be passed to it by a Java capable web browser using the Quicktime for Java interface.

"Any web browser that supports Java will become a vulnerability vector if Quicktime is installed," NIST reports. 

"If Java support is disabled in the browser it can no longer be used for an attack. Currently Safari and Firefox are confirmed vectors on the MacIntel OSX platform. Currently it is known that Windows Quicktime is vulnerable as well," NIST says.

Here are some further details from NIST:

What is not known is to what degree. If the attack is a buffer overflow an actual "exploiting the box" type attack may be OS specific. In other words Quicktime under Windows may simply crash or hang the computer if the same exploit code is used. Converting a buffer overflow in to a full fledged exploit takes time and is not always possible. But they did it on the OSX platform so it is entirely possible that someone can do it on the Windows platform as well. However, if the exploit simply takes advantage of a function built-in to Quicktime than the current exploit may work on both platforms.

NIST then offers these suggestion on how to fix this: 

• Turn off Java support in your browser
  
• Uninstall Quicktime
  
• If you use Firefox, use the NoScript plugin to disallow Java on a site by site basis