Severe QuickTime vulnerability in Firefox disclosed
September 12th, 2007
GNUCITIZEN, a “creative hacker organization”, has disclosed details on a severe security vulnerability affecting Firefox users that have installed the QuickTime plugin on Windows or Mac OS X, which at a minimum includes all iTunes users.
The vulnerability is based on QuickTime Media Link files (.qtl), simple XML files that include details about the media file to be played (like an .avi, .mov or .mp3) and other settings. However one of these parameters, qtnext, allows the publisher to specify a URL (web address) to be displayed when the media file ends. The URL could be a JavaScript instruction like those used in thousands of web pages and services currently.
To this point there is no problem. But Firefox itself is controlled through JavaScript code and libraries in an isolated environment that separates it from web pages code. The QuickTime plugin however can access the Firefox code just as any other object and manipulate it to run any application in an attacked computer.
To make things worse, the QTL files can be renamed as .mp3, .mpg, .avi or any of a couple of dozen file formats QuickTime supports and it will handle them properly, easing the scenario for possible attacks.
The test cases posted by GNUCITIZEN are really scary: click on an mp3 and the QuickTime plugin tries to load the file which doesn’t exist so it quickly completes and launches Windows Calculator. But it could be any application with any parameter.
It’s not clear to me where the responsibility lies, but QuickTime enforcing an appropriate file format naming would at least help to know when a site is serving a file that could possibly include some scripting.
On the other hand, Firefox shouldn’t allow a plugin to script its code. To aggravate things, this is the third time GNUCITIZEN discloses this same vulnerability: it was initially disclosed about a year ago and again some months later.
Given the severity of the vulnerability it needs to be fixed now.
In the meantime if you have the QuickTime plugin installed, virtually any media file could take control of your computer so I suggest disabling the plugin as soon as possible.
I guess there are more civilized ways of doing this but while we find it, just rename the plugins folder in the QuickTime install location. On Windows, by default it is C:\Program Files\QuickTime. Media files will still be associated with the plugin so clicking on media file will open a blank page, so this is just a quick protection.
Via Mozillalinks.org
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed