Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Apple Repairs QuickTime Glitch, Closes Browser Exploit

By Scott M. Fulton, III, BetaNews

October 4, 2007, 2:24 PM

A security update released by Apple this morning for users of QuickTime for Windows appears to eradicate the exploitable hole discovered last month by GNUCitizen.org developer Petko D. Petkov.

That exploit enabled the Web browser to pass JavaScript code to the QuickTime plug-in, which it then passes back to Firefox when it's the default Web browser. The code could then run unchecked, theoretically enabling a malicious user almost total access to a client's system, including his file system and command line.

The 2.0.0.7 update to Firefox, released last week, closed a big part of the hole: Although QuickTime continued to trigger Firefox when it was the default Web browser, Firefox would not run the malicious JavaScript code.

Now, as BetaNews tests confirm, Apple's update shuts the other door: It no longer launches a Web browser when it encounters a filename that fits its accepted pattern (for instance, an MOV file) but which doesn't actually exist.

A security bulletin on Apple's Web site fully acknowledged and explained the repaired deficiency. The security update only works on the most recent QuickTime 7.2 version.

Add a Comment (7 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By philosopher_dog

posted Oct 5, 2007 - 2:21 PM

It wouldn't update for me. Is it not relevant to the pro version of quicktime? It starts installing and then just seems to forget about it after the initial window.

Score: 0

By xer0

posted Oct 4, 2007 - 4:57 PM

and here come the "that why i dont use firefox replies"

Score: 0

By mjm01010101

posted Oct 5, 2007 - 5:03 PM

That is why I DO use firefox. this particular exploit was fixed within days of discovery, didn't require a reboot of my PC, and took seconds to apply.

Score: 0

By NULLedge

posted Oct 4, 2007 - 5:13 PM

i was thinking more along the lines of "apple says it never has wiruses" lines

Score: 0

By PC_Tool

posted Oct 5, 2007 - 9:27 AM

What's with the v/w thing? Are you turning into a wascawy wabbit?

Score: 0

By mjm01010101

posted Oct 4, 2007 - 3:34 PM

Quicktime
Itunes
Get your updates this week! Prepare and test for next week's 'sploits!

Score: 0

By NULLedge

posted Oct 4, 2007 - 5:12 PM

oh noes! the sploits! im wulnerable! *dies*

Score: 0

Jul 3 - 6:45 PM ET Netflix box by Roku to get more content providers

Jul 3 - 6:30 PM ET US Justice Dept. sued for info on cellular tracking practices

Jul 3 - 6:27 PM ET Next Patch Tuesday has few security updates, big Vista reliability fix

Jul 3 - 5:49 PM ET BlackBerry Pearl users can test voice input for Google Maps

Jul 3 - 5:30 PM ET Adobe pushes its Flash 10 beta 2 refresh

Jul 3 - 4:39 PM ET Nokia and InterDigital start to disassemble their running feud

Jul 3 - 4:34 PM ET Do-it-yourself phone manufacturer declares its independence tomorrow

Jul 3 - 4:16 PM ET Study: US broadband access up overall, but down among the poor

Jul 3 - 3:54 PM ET Beta test a portable Web browsing device

Jul 3 - 3:20 PM ET Nvidia: 'Previous generation' GPUs failing at high rates