RSSFirefox Update Addresses QuickTime-triggered Vulnerability
By Scott M. Fulton, III | Published September 20, 2007, 5:09 PM
Users of Firefox yesterday began receiving notices of the availability of version 2.0.0.7, which the Mozilla organization said addresses a vulnerability involving Apple's QuickTime plug-in. In BetaNews tests of the new version this afternoon, the vulnerability in question appears to have been fully patched.
In a recent permutation of what might have been a very old, very open hole, a malicious Web page was capable of spawning a new running copy of the default Web browser, and then - if that browser was Firefox - trigger it to try to load QuickTime by pointing it to a file whose type QuickTime is known to handle (typically .MOV files). Whether or not that file actually existed, the trigger could be crafted to contain JavaScript code that ran unchecked, possibly enabling the execution of any kind of binary code.
As security consultant Petko D. Petkov demonstrated last week, that hole could be easily exploited on Windows XP-based systems where Firefox was the default browser. In his non-malicious example, Petkov was able to trigger Notepad and other non-harmful programs to run.
BetaNews tried several permutations of Petkov's exploit on Windows XP and Windows Vista systems where the recently patched Firefox 2.0.0.7 was the default browser. In each case, the exploit did not trigger an executable file to run; instead, a second copy of Firefox would run and pull up its usual home page.
As Mozilla security chief Window Snyder posted on her team's blog on Tuesday, as the patch was being prepared for release, "When a vendor ships security fixes quickly, it lowers the incentive for attackers to spend time developing and deploying an exploit for that issue. The window of opportunity for attackers is reduced and so is the potential to compromise users. So thanks you guys, for helping destroy the economics of malicious exploit development."
But as Petkov proclaimed last week, he had been trying to awaken Mozilla's attention to the existence of the basic trigger behind the exploit for as long as a whole year.
Rather than gloat about having catalyzed a solution to the problem, Petkov announced on his blog today that he had discovered a similarly highly vulnerable exploit involving Adobe PDF files. He has not yet revealed details, instead publicly requesting Adobe to contact him personally for more information.
well that's peculiar ... wonder how i managed to create a blank message while putting in the text "k."
Score: 0
|It doesn't allow short replies like that. :P
Score: 0
|did you know you could have also edited your message?
Score: 0
|Replies of less than 3 characters show up blank. I am sure there are ways around it, but that's the basic rule.
Score: 0
|I just uninstalled quicktime. I'm done with that format, because I'm done with itunes and Apple software.
Score: 0
|Score: 0
|Who uses Quicktime anyway? I mean besides movie trailers from the Apple site?
I have been using Quicktime alternative for quite some time.
But really I can not even remember the last time I ran across an actual Quicktime movie on the web.
Score: 0
|Don't forget yahoo's trailers as well (though they may be the same damn files, just re-linked).
They need to switch to DivX and link 'em all through stage6.
Score: 0
|