Exploit Discovered Impacting QuickTime, Firefox on Windows XP

A London security analyst working with the open source group GNUCitizen has discovered a potentially serious exploit that could affect users of the Firefox browser and Apple's QuickTime movie and music player - especially iTunes customers - on Windows XP-based machines. BetaNews tested and verified the severity of the exploit.

As early as one year ago, as Petko D. Petkov wrote yesterday, he discovered that JavaScript code appearing in the <EMBED> tag of an HTML file could launch a new Web browser instance, feeding it any kind of default code that isn't checked before being executed.

Unfortunately, the exploit is so simple in concept that the most general description of how it works may give some clues as to how to try it; but of course, Petkov gives a more complete explanation for the benefit of anyone interested in trying to put a stop to it.

On an XP-based system where Firefox is the default browser, when an <EMBED> tag references a file whose type is handled by QuickTime, it then passes the name of that file to QuickTime in trying to launch it, even if the file doesn't really exist. For the exploit to work, the file should not exist.

In launching QuickTime, the browser then can pass JavaScript code to the plug-in using what are called chrome privileges. This is a privilege class that was created with special elevation in order to allow either the plug-in or third parties to attach code to enable skins or special settings, so that the plug-in appears and behaves according to user's preferences. That code is apparently not checked beforehand, so it's possible to embed JavaScript code within it that creates and launches another instance of Firefox. That instance may then be passed another swatch of JavaScript code, which is also apparently not checked.

It's that code which could conceivably do just about anything, as Petkov demonstrates in a handful of non-malicious experiments posted on GNUCitizen.

BetaNews used portions of Petkov's proof-of-concept code, and also tried our own variations on his theme to test for severity. We discovered on two Windows XP-based systems that the exploit can be made to launch unauthorized code through the code-generated instance of Firefox, in cases where QuickTime handled the file type of the false embedded file in question.

The exploit works only when Firefox is the default browser. It does not work when Internet Explorer 7 is the default browser. However, when Firefox is the default, the exploit does work anyway even if IE7 contains the embedded link. So you could still be seeing an IE7 Web page, click on the link to the false file, have it pull up QuickTime, and watch helplessly as QuickTime instantiates a copy of Firefox, from which the havoc may then take place. If IE7 is the default browser, we discovered, QuickTime will instantiate a new IE7 window, but it will not execute the second swatch of embedded code. This is on XP systems with the latest Microsoft security updates for Windows and IE7.

Also, the exploit does not work when Windows Media Player is the handler for the false file, whether the embedded link is viewed through Firefox or IE7.

In BetaNews tests of the exploit in Windows Vista, the exploit failed even when Firefox was set to be the default browser. In all cases, Vista generated an error message saying it could not locate the element in question, and then revealed the content of that element - the potentially malicious code.

This is far from the first exploit discovered involving the triggering of malicious code from Firefox by means of unchallenged chrome privileges given to a plug-in. BetaNews found examples of other exploits in US-CERT's database of past warnings, including this item from 2005.

One member of GNUCitizen reports a test of the exploit being successful in Mac OS X, where Firefox and not Safari is set as the default browser.

Late yesterday, Mozilla acknowledged the severity of the exploit itself, posting a notice on its Security Blog saying, "Petkov provided proof of concept code that may be easily converted into an exploit, so users should consider this a very serious issue."