Print this article  |  E-mail this article  |  Comment on this article

Firefox Update Addresses QuickTime-triggered Vulnerability

By Scott M. Fulton, III, BetaNews

September 20, 2007, 5:09 PM

Users of Firefox yesterday began receiving notices of the availability of version 2.0.0.7, which the Mozilla organization said addresses a vulnerability involving Apple's QuickTime plug-in. In BetaNews tests of the new version this afternoon, the vulnerability in question appears to have been fully patched.

In a recent permutation of what might have been a very old, very open hole, a malicious Web page was capable of spawning a new running copy of the default Web browser, and then - if that browser was Firefox - trigger it to try to load QuickTime by pointing it to a file whose type QuickTime is known to handle (typically .MOV files). Whether or not that file actually existed, the trigger could be crafted to contain JavaScript code that ran unchecked, possibly enabling the execution of any kind of binary code.

As security consultant Petko D. Petkov demonstrated last week, that hole could be easily exploited on Windows XP-based systems where Firefox was the default browser. In his non-malicious example, Petkov was able to trigger Notepad and other non-harmful programs to run.

BetaNews tried several permutations of Petkov's exploit on Windows XP and Windows Vista systems where the recently patched Firefox 2.0.0.7 was the default browser. In each case, the exploit did not trigger an executable file to run; instead, a second copy of Firefox would run and pull up its usual home page.

As Mozilla security chief Window Snyder posted on her team's blog on Tuesday, as the patch was being prepared for release, "When a vendor ships security fixes quickly, it lowers the incentive for attackers to spend time developing and deploying an exploit for that issue. The window of opportunity for attackers is reduced and so is the potential to compromise users. So thanks you guys, for helping destroy the economics of malicious exploit development."

But as Petkov proclaimed last week, he had been trying to awaken Mozilla's attention to the existence of the basic trigger behind the exploit for as long as a whole year.

Rather than gloat about having catalyzed a solution to the problem, Petkov announced on his blog today that he had discovered a similarly highly vulnerable exploit involving Adobe PDF files. He has not yet revealed details, instead publicly requesting Adobe to contact him personally for more information.

Add a Comment (8 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Paradise-FH-

edited Sep 20, 2007 - 5:51 PM

well that's peculiar ... wonder how i managed to create a blank message while putting in the text "k."

Score: 0

By PC_Tool

edited Sep 22, 2007 - 10:31 AM

Replies of less than 3 characters show up blank. I am sure there are ways around it, but that's the basic rule.

Score: 0

By iceing

posted Sep 21, 2007 - 7:37 PM

did you know you could have also edited your message?

Score: 0

By TomeOne

posted Sep 20, 2007 - 7:25 PM

It doesn't allow short replies like that. :P

Score: 0

By mjm01010101

posted Sep 20, 2007 - 5:31 PM

I just uninstalled quicktime. I'm done with that format, because I'm done with itunes and Apple software.

Score: 0

By Bobbitchin

edited Sep 21, 2007 - 11:18 PM

Who uses Quicktime anyway? I mean besides movie trailers from the Apple site?

I have been using Quicktime alternative for quite some time.

But really I can not even remember the last time I ran across an actual Quicktime movie on the web.

Score: 0

By PC_Tool

posted Sep 22, 2007 - 10:30 AM

Don't forget yahoo's trailers as well (though they may be the same damn files, just re-linked).

They need to switch to DivX and link 'em all through stage6.

Score: 0

By Paradise-FH-

edited Sep 20, 2007 - 5:50 PM

Score: 0

Nov 21 - 9:29 PM ET Hurd's the word in Ballmer's e-mail nightmares

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update