Petko Petkov, the founder of penetration-testing organization Gnucitizen, noted in a blog posting that the “vulnerability can lead to a full compromise of the browser and maybe even the underlying operating system.” Petkov added that he first released information about a pair of QuickTime bugs a year ago, but noted that only one had been fixed.
This second, still outstanding vulnerability remains an issue for Firefox users relying on the QuickTime plug-in, Apple’s widely used multimedia software for handling video, sound, animation, text and music. QuickTime is also a component of the iTunes media player, which runs on PCs and Macs.
Petkov posted several proof-of-concept exploits on his blog.
The problem occurs when Firefox is set as a user’s default browser and the user plays a malicious media file handled by QuickTime. The problem — so far only proven on Windows systems — can occur while browsing or opening a malicious media file directly in QuickTime.
“The first vulnerability was fixed, but the second one was completely ignored,” Petkov wrote on his blog. “I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a low-risk issue can be turned into an easy-to-perform high-risk attack.”
In a blog posting, Mozilla representative Window Snyder, noted, “Mozilla is working with Apple to keep our users safe . . . we are also investigating ways to mitigate this more broadly in Firefox.”
“The QuickTime plug-in for Firefox isn’t properly validating all the input parameters,” he said, adding that the flaw points to a lack of proper security knowledge on the part of Firefox’s developers.
Schultze called the Firefox/QuickTime vulnerability just as bad as any of Microsoft’s critical security flaws.
Until the Mozilla Foundation releases a fix for the flaw, he urged Firefox users with the QuickTime plug-in to either make Internet Explorer their default browser or not click on movie files. He expects a patch to be available within a week.