Apple Repairs QuickTime Glitch, Closes Browser Exploit

A security update released by Apple this morning for users of QuickTime for Windows appears to eradicate the exploitable hole discovered last month by GNUCitizen.org developer Petko D. Petkov.

That exploit enabled the Web browser to pass JavaScript code to the QuickTime plug-in, which it then passes back to Firefox when it's the default Web browser. The code could then run unchecked, theoretically enabling a malicious user almost total access to a client's system, including his file system and command line.

The 2.0.0.7 update to Firefox, released last week, closed a big part of the hole: Although QuickTime continued to trigger Firefox when it was the default Web browser, Firefox would not run the malicious JavaScript code.

Now, as BetaNews tests confirm, Apple's update shuts the other door: It no longer launches a Web browser when it encounters a filename that fits its accepted pattern (for instance, an MOV file) but which doesn't actually exist.

A security bulletin on Apple's Web site fully acknowledged and explained the repaired deficiency. The security update only works on the most recent QuickTime 7.2 version.

7 Responses to Apple Repairs QuickTime Glitch, Closes Browser Exploit

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.