Security maven: QuickTime flaw threatens PCs, Macs
Year-old bug pulls a fast on Firefox
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
A researcher has demonstrated how a security bug in Apple's QuickTime media player that was disclosed a year ago can cause Firefox to install backdoors and other malware on a fully patched computer. He said both Windows and Mac systems are vulnerable.
The researcher, Petko D. Petkov, on Wednesday posted proof-of-concept code that shows how the exploit can be used to run privileged code on an unwitting user's machine.
The XML code calls up a QuickTime-supported file such as foo.mp3, which doesn't exist on the victim's machine. The code then instructs QuickTime to load a second file. The thing is, QuickTime isn't particularly picky about the type of URLs it passes on to Firefox, so attackers are free to include addresses with Firefox's "chrome" parameter, which is used to run privileged code on a user's machine.
"On its own, the QuickTime issue is less critical," Petkov said in an email. "Firefox is not vulnerable either. But when put together, they create a very dangerous combination."
He went on to say he is "101 percent confident" that the vulnerability can allow an attacker to "easily download any rootkit, spyware, adware, etc. and dump it on the client machine in a few seconds." While his exploit was tested only on Windows, he adds, "I see no reason why it shouldn't work on Mac." For the attack to work, users must be logged in as an administrator.
Petkov first reported the QuickTime issue last September, a warning he says was "completely ignored."
Apple representatives didn't respond to a request for comment.
Window Snyder, "chief security something or other" at Mozilla, said through a spokesman: "We have spoken to Apple and they are working on the issue."
As is often the case with vulnerabilities affecting Firefox, users can protect themselves against this exploit by using the NoScript extension. According to this post at hackademix.net, the addon will prevent Petkov's exploit from working even if a user has whitelisted gnucitizen.org, where the code is being hosted. The addition of a certain top-level chrome protection some three months ago makes this possible.
The vulnerability is reminiscent of a vulnerability that first came to light in July. When it was exploited, the Internet Explorer browser would cause Firefox to execute malicious code. The episode touched off debate about exactly who was responsible for the weakness. While Mozilla has plugged the hole, it has also called on Microsoft to patch IE so it vets code for security before passing it along to other applications. So far Microsoft has not done so.
Petkov's proof of concept also demonstrates how seemingly minor security bugs can be magnified into major issues when combined with other unrelated bugs. If Apple security wonks figured this year-old QuickTime issue was too trivial to bother repairing, they may want to think again. ®
Please direct news tips, story ideas, inside scuttlebutt and other security-related intelligence to this reporter by using this link. Confidentiality assured.
COMMENTS
Firefox doesn't need admin
"Unfortunately, for Firefox to work, users must be logged in as an administrator."
That is completely untrue. Firefox works fine under a non-admin account. I'm using it on Vista under UAC right now and I have also used it on XP under a non-admin account.
@snafu
"admin-level" in OSX isn't the same as root. AFAICT, you get sudo privilege and access to files/folders in the admin group so you could do some damage but it is limited.
Obviously, more damage can be done once you have responded to a prompt for your password but who would be dumb enough to do that? Oh, wait...
Re: Regardless of some comments
The "if more people used Linux/Unix there would be more exploits for it" argument is bogus. It's a variant of the "security through obscurity" argument, and is possibly a result of a too narrow-sighted view of IT as a whole.
The vast majority of Internet servers run Unix, yet Windows boxes remain the softest targets. Not because Unix machines can't be cracked (historically, most famous cracks were against Unix, which used to be perceived as having weak security compared to the competition!) or aren't attractive targets - in fact, cracked Unix hosts are highly prized among black hats because one can do more with them than with the average Windows PC.
The fact that vast hordes of Windows desktops can be trivially taken over by random script kiddies has litle to do with their market dominance, and the fact that this is harder to do with the various *nix flavours has little to do with their lack of presense in the desktop field.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
