RSSExploit Discovered Impacting QuickTime, Firefox on Windows XP
By Scott M. Fulton, III | Published September 13, 2007, 12:09 PM
A London security analyst working with the open source group GNUCitizen has discovered a potentially serious exploit that could affect users of the Firefox browser and Apple's QuickTime movie and music player - especially iTunes customers - on Windows XP-based machines. BetaNews tested and verified the severity of the exploit.
As early as one year ago, as Petko D. Petkov wrote yesterday, he discovered that JavaScript code appearing in the <EMBED> tag of an HTML file could launch a new Web browser instance, feeding it any kind of default code that isn't checked before being executed.
Unfortunately, the exploit is so simple in concept that the most general description of how it works may give some clues as to how to try it; but of course, Petkov gives a more complete explanation for the benefit of anyone interested in trying to put a stop to it.
On an XP-based system where Firefox is the default browser, when an <EMBED> tag references a file whose type is handled by QuickTime, it then passes the name of that file to QuickTime in trying to launch it, even if the file doesn't really exist. For the exploit to work, the file should not exist.
In launching QuickTime, the browser then can pass JavaScript code to the plug-in using what are called chrome privileges. This is a privilege class that was created with special elevation in order to allow either the plug-in or third parties to attach code to enable skins or special settings, so that the plug-in appears and behaves according to user's preferences. That code is apparently not checked beforehand, so it's possible to embed JavaScript code within it that creates and launches another instance of Firefox. That instance may then be passed another swatch of JavaScript code, which is also apparently not checked.
It's that code which could conceivably do just about anything, as Petkov demonstrates in a handful of non-malicious experiments posted on GNUCitizen.
BetaNews used portions of Petkov's proof-of-concept code, and also tried our own variations on his theme to test for severity. We discovered on two Windows XP-based systems that the exploit can be made to launch unauthorized code through the code-generated instance of Firefox, in cases where QuickTime handled the file type of the false embedded file in question.
The exploit works only when Firefox is the default browser. It does not work when Internet Explorer 7 is the default browser. However, when Firefox is the default, the exploit does work anyway even if IE7 contains the embedded link. So you could still be seeing an IE7 Web page, click on the link to the false file, have it pull up QuickTime, and watch helplessly as QuickTime instantiates a copy of Firefox, from which the havoc may then take place. If IE7 is the default browser, we discovered, QuickTime will instantiate a new IE7 window, but it will not execute the second swatch of embedded code. This is on XP systems with the latest Microsoft security updates for Windows and IE7.
Also, the exploit does not work when Windows Media Player is the handler for the false file, whether the embedded link is viewed through Firefox or IE7.
In BetaNews tests of the exploit in Windows Vista, the exploit failed even when Firefox was set to be the default browser. In all cases, Vista generated an error message saying it could not locate the element in question, and then revealed the content of that element - the potentially malicious code.
This is far from the first exploit discovered involving the triggering of malicious code from Firefox by means of unchallenged chrome privileges given to a plug-in. BetaNews found examples of other exploits in US-CERT's database of past warnings, including this item from 2005.
One member of GNUCitizen reports a test of the exploit being successful in Mac OS X, where Firefox and not Safari is set as the default browser.
Late yesterday, Mozilla acknowledged the severity of the exploit itself, posting a notice on its Security Blog saying, "Petkov provided proof of concept code that may be easily converted into an exploit, so users should consider this a very serious issue."
Well apparently, having noscript installed seems to block this problem, even if you whitelist the site. Personally, i always has noscript and latest quicktime installed, and i can't get the test exploit to work.
There's a testcase listed here: https://bugzilla.mozilla.../show_bug.cgi?id=395942
(It alerts "Vulnerable" if privileged code was allowed to run, so test for yourself - just scroll down to where it says "testcase" to find it)
So there's a workaround for you until someone cleans up this mess :)
using FF-2.0.0.6 w/noscript 1.1.7.1 on XPSP2, latest quicktime plugins, IE7 and WMP10 installed, etc. etc.
Score: 0
|I just dumped quicktime. I've had it with that plug-in/media player. I rarely come across the need for it anyway.
Score: 0
|nvm was unable to get on source page now i see some proof of concept exists ... thanks
Score: 0
|all you need to protect youself is bufferzone
http://www.trustware.com/
they have a free download fix for Firefox and quicktime.
Score: 0
|Lest you think Media Player Classic is any better:
http://secunia.com/advisories/26806/
MPC is no longer in development... so the only option (right now) you have is to stop using it!
Score: 0
|Not true. It is constantly being updated.
Score: 0
|http://sourceforge.net/p...03&package_id=84358
Am I missing something? I show it's last mod date as march '06.
Score: 0
|I wonder if this also impacts Seamonkey?
Score: 0
|I have been spoiled. Linux and the no-script plug-in for firefox(make that iceweasel), and nothing touches me. For a moment I thought Wow this might finally be the vulnerability that affects me, but no.
Score: 0
|Pick your poison:
http://secunia.com/product/2719/?task=advisories
That's just the kernel.
Score: 0
|So... what is a good workaround?
Software Restriction Policy on Quicktime? (That's an active directory thing for preventing applications from running...)
Score: 0
|So... what is a good workaround?
Software Restriction Policy on Quicktime? (That's an active directory thing for preventing applications from running...)
Score: 0
|1. Don't use QuickTime, or
2. Don't use Firefox (yikes!!!), or
3. Get Vista
Oh, wait, just noticed you're looking for a "good" workaround.
Score: 0
|I never liked quicktime, but now I can claim for security reasons.
Score: 0
|Darned interweb. It's a bunch of TUBES!
Score: 0
|Go back to /b
Score: 0
|