Firefox Susceptible To QuickTime Security Flaw

← Back to Stories (view on slashdot.org)

Firefox Susceptible To QuickTime Security Flaw

Posted by kdawson on Tuesday November 27, 2007 @07:56AM from the exploit-available-in-the-wild dept.

Hugh Pickens writes "Apple's QuickTime media player software contains a previously undocumented security weakness in the way QuickTime handles the RTSP media-streaming protocol. The vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Symantec has tested the publicly available exploit code and found that it failed to work properly against Internet Explorer 6/7 or Safari 3 Beta but the exploit works against Firefox if users have chosen QuickTime as the default player for multimedia formats. Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control, while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur."

231 comments

And this is a firefox problem... by Shoeler · 2007-11-27 07:57 · Score: 4, Insightful

Why? I mean help me understand how it simply farming the request to an external app, where the external app has the security problem, is a firefox problem?
1. Re:And this is a firefox problem... by Volante3192 · 2007-11-27 08:01 · Score: 4, Insightful
  
  Exactly...the way I'm reading this, if someone opens whatever this is straight in Quicktime it'd be vulnerable.
  
  Guess they want the more hits by throwing Fox into the mess though, but really, why have Mozilla fix Apple's flaws?
2. Re:And this is a firefox problem... by aredubya74 · 2007-11-27 08:01 · Score: 5, Insightful
  
  It's not a Firefox problem inasmuchas a fix to Firefox itself will fix the problem. However, it's a reasonable idea to provide a heads-up to Firefox users (savvy and not-so-savvy) that a popular associated app it interacts with contains a flaw that appears to be unique to said pairing.
  
  Besides, this is Slashdot. Since when did the headlines make sense?
  
  --
  RW
3. Re:And this is a firefox problem... by morgan_greywolf · 2007-11-27 08:01 · Score: 1
  
  You're right. It's not. But that's how it's going to be perceived by end-users because the exploit happens with Firefox, but not with Safari or IE.
  
  Here's the deal: This is a QuickTime problem, not a Firefox problem. Apple needs to fix QuickTime. There should be nothing wrong with Firefox handing off the request to an application that's supposed to handle it correct.
  
  --
  My blog
4. Re:And this is a firefox problem... by m4ximusprim3 · 2007-11-27 08:01 · Score: 0, Offtopic
  
  Yeah, and how is it the US's problem if we farm out security to an external security firm like blackwa... Oh, wait, you mean it reflects badly on us? What? Why don't people just realize that it's not our fault?
5. Re:And this is a firefox problem... by the_humeister · 2007-11-27 08:03 · Score: 1
  
  I don't know. But IE gets blamed for similar sorts of situations as well (but not this particular instance).
6. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 08:04 · Score: 0
  
  Well in this case the headline made perfect sense.
7. Re:And this is a firefox problem... by everphilski · 2007-11-27 08:04 · Score: 5, Interesting
  
  It isn't a firefox problem, but then again, it isn't an IE problem because Internet Explorer has some buffer overflow protection which prevents further execution.
  
  Glass half empty, half full type thing. Of course, Quicktime is causing the problem, but would you rather have a browser that arbitrarily trusts the plugin, or does some bounds checking?
8. Re:And this is a firefox problem... by Savage-Rabbit · 2007-11-27 08:11 · Score: 1
  
  Why? I mean help me understand how it simply farming the request to an external app, where the external app has the security problem, is a firefox problem? Because Internet browsers are one of the commonest entry-points for malware. While one could argue that this strictly speaking isn't a Firefox problem, I for one would still expect a modern web browser to place as many barriers as possible between itself and my OS. The fact that it is standard practice in IE 6/7 to sandbox apps like this as an internal plugin should be enough of a motivation for the Firefox team to go the same way. Being upstaged in security features by a Microsoft product is pretty embarrassing.
  
  --
  Only to idiots, are orders laws.
  -- Henning von Tresckow
9. Re:And this is a firefox problem... by 99BottlesOfBeerInMyF · 2007-11-27 08:12 · Score: 4, Interesting
  
  Here's the deal: This is a QuickTime problem, not a Firefox problem. Apple needs to fix QuickTime. There should be nothing wrong with Firefox handing off the request to an application that's supposed to handle it correct.
  I 90% agree with you; however, I do think operating systems should handle transactions with internet applications differently than normal processes. Both Vista and Leopard and any Linux distro with SELinux enhancements has the ability to sandbox certain processes for added security. The reason this exploit does not work with IE is because runs it as a plug-in and sandboxes all of those plug-ins within IE. I'd argue that any process to which data is "handed off" by a Web browser, e-mail client, or chat client should run in a sandbox as an extra layer of protection against this common type of attack.
  
  Yeah, Quicktime is the culprit here and Firefox is not to blame, but I'd argue that the OS (all of them currently) is partly to blame for not sandboxing data coming into the machine via the Web.
10. Re:And this is a firefox problem... by Shoeler · 2007-11-27 08:14 · Score: 2, Insightful
  
  Quicktime is causing the problem, but would you rather have a browser that arbitrarily trusts the plugin, or does some bounds checking? I'd rather have a browser that focuses on making sites render most correctly, most quickly, and where only its core functions are concerns of the already burdened developers.
  
  But that's just me talkin'.
11. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 08:14 · Score: 0
  
  Here is a link to a video showing how this is a firefox issue....
  
  To see the video, make sure you are running in firefox and have selected quicktime as your default player to get the full effect.
  
  http://someidiotwillclickme.com/firefox-quicktime-bug.mov
12. Re:And this is a firefox problem... by pembo13 · 2007-11-27 08:15 · Score: 1
  
  Well if you volunteering installed the plugin, I just assumed the browser would trust it. Interesting to find out otherwise. Does that mean the Quicktime plugin could take IE down with it in a crash?
  
  --
  "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
13. Re:And this is a firefox problem... by purpledinoz · 2007-11-27 08:20 · Score: 2, Insightful
  
  My solution is to not use QuickTime. What pisses me off about QT is that it puts itself in the Windows startup, eating up memory for no reason. In fact, I stopped using iTunes all together because it installs a couple of services AND QuickTime. Plus, it's such a pain in the ass when I plug in my iPod to charge, and my computer starts to kill itself loading up iTunes automatically. I use Winamp with the external ml_ipod plugin. It's much better.
14. Re:And this is a firefox problem... by sm62704 · 2007-11-27 08:23 · Score: 4, Funny
  
  Glass half empty, half full type thing.
  
  The optimist says the glass is half full. The pessimist says the glass is half empty. The scientist says there is .3764666437 litres. The realist says "there's not enough". The doctor says "he's dead, Jim".
  
  --
  mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
15. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 08:32 · Score: 0
  
  Oh wow, another 'sploit in FF which allows arbitrary code execution. These things seem to come out on a daily basis.
  
  Sure makes me glad I'm using IE7! Netscape always was garbage, and there's no reason at all to think a million more sets of eyeballs are going to polish that turd.
16. Re:And this is a firefox problem... by Bill,+Shooter+of+Bul · 2007-11-27 08:35 · Score: 0, Troll
  
  I don't want a large number of people using a browser that doesn't take security seriously. programs have bugs, many of them turn out to be exploitable. For the good of everyone using the net, the dominant technologies should be those that minimize the threat of malicious code. We're just beginning to see the damage that can be wrought by bot nets. So I would hope that in light of your preferences, you would use lnyx, or create your own browser and never share it with anyone else.
  
  --
  Well.. maybe. Or Maybe not. But Definitely not sort of.
17. Re:And this is a firefox problem... by znode · 2007-11-27 08:35 · Score: 4, Funny
  
  The engineer says that the glass is twice as large as it needs to be.
  
  Jack Bauer found out where the glass was, who drank the water, and which government they worked for.
18. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 08:49 · Score: 0
  
  The video won't play! I keep clicking the link over and over, but it won't play!!
19. Re:And this is a firefox problem... by Shoeler · 2007-11-27 08:52 · Score: 3, Insightful
  
  Look - I'm a programmer. It may sound pedantic of me, but I believe programs should be responsible only for what they are designed to do. Clearly this means being responsive and indeed responsible for their own security. Lapses in one's own program are unavoidable but should be quickly and non-quietly fixed. It's an interesting suggestion that the paradigm needs to shift to the parent app being solely responsible for its children's security.
  
  So taking your logic further, the OS should be responsible for all of this, so it's not even Firefox's problem. ^_^ Apps should be purpose built and responsible for that purpose. If you do the blame game up the line, you'll find tremendous bloat (more so than it already is) creeping into all first-line programs and even more so to the OS. If you don't blame Microsoft and OSX (the only two platforms Quicktime runs on, IIRC) as much as Firefox, you have violated your own thinking line.
20. Re:And this is a firefox problem... by Kalriath · 2007-11-27 08:59 · Score: 1
  
  I assume this nearly caused a fatal exception in the minds of the submitter or editor. I mean, they can't blame it on Firefox, because it's the Browser of Gods. And they can't blame it on Quicktime, because it's Apple.
  
  They would have blamed it on IE, but they couldn't find any way to make any connection (and for the first time ever, IE just kind of sat off to the side and shrugged it's shoulders in disinterest that it isn't affected).
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
21. Re:And this is a firefox problem... by Duhavid · 2007-11-27 09:01 · Score: 1
  
  Hopefully they picked the "good package" and not the "big gun".
  
  --
  emt 377 emt 4
22. Re:And this is a firefox problem... by thomas.galvin · 2007-11-27 09:07 · Score: 4, Funny
  
  (and for the first time ever, IE just kind of sat off to the side and shrugged it's shoulders in disinterest that it isn't affected). As opposed to all of the times IE just kind of sat off to the side and shrugged it's shoulders in disinterest even though it was affected.
  
  --
  Thomas Galvin
23. Re:And this is a firefox problem... by lgw · 2007-11-27 09:09 · Score: 0
  
  But the purpose of a web browser is to *safely* render content from teh interwebs. Handing off rendering to an unmonitored process fails at this. Rendering in a monitored sandbox is safer (but not perfect). This is Firefox's problem, because Firefox runs at the border of your box.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
24. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 09:13 · Score: 0
  
  It isn't a firefox problem, but then again, it isn't an IE problem because Internet Explorer has some buffer overflow protection which prevents further execution.
  I doubt that's the case. It's more likely that the author of the article just doesn't understand the subject matter. The Quicktime player and plugin are almost certainly using the same DLL. Since the overflow occurs inside the DLL code, buffer protection in hosting application (IE) is probably not helping at all. However, the memory offsets in IE will be entirely different than the player, which would prevent the exploit. The situation for Safari should be the same. The most likely scenario is that the researcher's PoC simply isn't written for anything other than the base player. After all, that's usually the case with PoC exploits.
25. Re:And this is a firefox problem... by Nerdposeur · 2007-11-27 09:15 · Score: 1
  
  I feel your pain. But you can change your setting so that when you plug in your iPod, it doesn't load iTunes automatically. I did.
  
  I still use iTunes, but it is not my default player. That way if I just want to open a sound file real quick, I can let Winamp handle that in 1 second. But if I'm going to start a nice long playlist while I hang out, I use iTunes.
26. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 09:20 · Score: 1, Insightful
  
  Simple, Firefox facilitates the Internet experience. Reffering to the bad car analogy, it's similar to Ford Explorer and GoodYear tires. Ford did not make the tires but the way they used them on Explorer made it unsafe for the passangers.
27. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 09:29 · Score: 0
  
  So taking your logic further, the OS should be responsible for all of this, so it's not even Firefox's problem.
  If you run Firefox on a real OS (i.e. a non-windows one), the OS is being responsible. Firefox is running as a specific user and any attempts by Firefox to do something to the system (save a file, listen on a port, etc) are managed within the context of what that user is allowed to do. Unless the user is dumb enough to run Firefox as root, the OS won't let Firefox do any damage beyond what the user could do.
  
  It's all a matter of whether you trust code you're running implicitly or whether you add sandbox constraints to prevent code from doing things it's not supposed to. Yes, Quicktime is to blame because it has the vulnerability. But Firefox should be running plug-ins in a way that limits the damage that a malicious plug-in can do. Java applets, for example, are entirely sandboxed...why couldn't Firefox run plugins within a similar setup? If you want to extend the metaphor to an OS, Firefox is currently operating with the Windows 9x mentality of trust first rather than the tried-and-true Unix philosophy. People saying that Firefox needs to change are saying that mentality needs to change.
28. Re:And this is a firefox problem... by Beardo+the+Bearded · 2007-11-27 09:32 · Score: 1
  
  Yes, but if an IE flaw allows Windows Media Player to execute a DirectX DLL that runs a Visual Basic script, then it's probably Microsoft's problem.
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
29. Re:And this is a firefox problem... by c_woolley · 2007-11-27 09:47 · Score: 1
  
  I can't really bring myself to blame an OS though. I do think OS's need to be responsible for security, but the entire purpose of an OS is to support software. Programs cannot run if the OS security is too tight. Lets face it, if all end-users were technical gurus and could write their own software, we'd be out of work.
  
  I think I am with most people on this one though. Quicktime is a little more to blame here than Firefox. Firefox is problably just utilizing what it can out of the Quicktime app. In doing so, it falls prey to a long-time known QT vulnerability. Maybe Apple needs to look into this for once.
30. Re:And this is a firefox problem... by Ethanol-fueled · 2007-11-27 09:51 · Score: 3, Insightful
  
  QT has become the new realplayer. iTunes sucks as well. I found it to be more counterintuitive than the godawful SonicStage for my SONY(don't laugh) mp3 player!
31. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 09:55 · Score: 0
  
  You are absolutley right. Firefox has no buisness downloading and installing Quicktime as part of its own default installation, thereby allowing firefox to hand off rendering to an unmonitored process without any user intervention or choice! How dare they! /sarcasm
32. Re:And this is a firefox problem... by erroneus · 2007-11-27 09:55 · Score: 1
  
  It's not directly a firefox problem to be sure and I think everyone generally agrees with that. But where MSIE protects the user from the problem, so too should firefox if it's possible. Is it possible? Would such a facility in the Windows compile of firefox translate or improve user protection under MacOSX and Linux? And could such a facility also protect users if other vulnerabilities are identified in other commonly used extensions or plugins or whatever?
  
  Again, while it's not directly firefox's problem, it is an opportunity for improvement and it should be seized upon. (But it would be nice to know if there's a vulnerability being trapped so that it can be reported and fixed too...)
33. Re:And this is a firefox problem... by Bill,+Shooter+of+Bul · 2007-11-27 09:59 · Score: 2, Insightful
  
  I agree with your logic extension. If the operating system can prevent a security problem, it should as long as it can differentiate between the malicious behavior and normal application behavior. This is why such things as SELinux exist. Every part of the program in the stack should be responsible for its security and prevent any of its children from doing bad things as much as possible.
  
  --
  Well.. maybe. Or Maybe not. But Definitely not sort of.
34. Re:And this is a firefox problem... by Trails · 2007-11-27 10:02 · Score: 1
  
  A fix implies a problem. I would challenge the notion that it's up to any one app to manage another's buffers, unless that is the application's specific and express intent.
  
  Further, a fix to FF will NOT fix the problem (the exploit will still exist in QT), it will only fix it if FF acts as a container for plugins, something that's caused no end of pain from IE.
35. Re:And this is a firefox problem... by everphilski · 2007-11-27 10:10 · Score: 4, Insightful
  
  The real problem here is the way Firefox handles the plugins. Or rather does not.
  
  IE uses a plugin interface to deal with QuickTime. As such, it has a standard framework which does some bounds checking and can find buffer overflows like this one and kill a plugin (or iexplore.exe if necessary) preventing damage.
  Firefox just passes parameters on to an external program.
  
  Pick your poison, you can probably make justifications for either, but to me the IE method makes more sense. It's embedded content, it should be handled as a plugin to the parent application. You are a programmer, I'm sure you are familiar with the concepts of parents and children :). I'm a programmer too ... I have to sanitize my inputs and sanitize my outputs. When I call functions that aren't mine I have to make sure that they are doing what they should be doing, not wreaking havoc on my computer, and in a sense that's exactly what this comes down to, taking responsibility for a child process.
36. Re:And this is a firefox problem... by jvkjvk · 2007-11-27 10:12 · Score: 3, Informative
  
  In a very narrow sense you are correct. The exploit is in Quicktime. However, in a general sense you are wrong because there are other browsers that, through their design and security models, do not allow this to happen. They shut down the offending code.
  
  It does not really matter that the 'actual' vulnerability is in Quicktime. Firefox is the application that controls whether this vulnerability will affect the user, since it is obvious that is it possible to have code in Firefox that stops this exploit from working.
  
  It is also a Firefox problem because any other plugin of this type is equally vulnerable using Firefox. From a secure coding point of view, is it your problem if you create an avenue whereby an exploit can occur? Damn straight! In this case, perhaps running the plugins in a controlled and monitored sandbox would be a good design change, instead of forking another process...
37. Re:And this is a firefox problem... by Cassius+Corodes · 2007-11-27 10:35 · Score: 1
  
  Because unlike IE and safari they didn't treat everything from the Internet as potentially dangerous and provide additional security mechanisms. This is not the first time they were caught out with such a issue.
  
  --
  Control is an illusion, order our comforting lie. From chaos, through chaos, into chaos we fly
38. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 10:42 · Score: 0
  
  Being upstaged in security features by a Microsoft product is pretty embarrassing.
  
  I prefer to look at it this way. The botnets and malware that run in the background on the 'net didn't get there by accident, thanks to the availability of compromised windows systems
  
  FF: /Sarcasm: Oh you got me! My QuickieTime has an exploit! Ooooh!
  MS: At least the score isn't 1000 to zip! HaHA!
39. Re:And this is a firefox problem... by marcello_dl · 2007-11-27 10:42 · Score: 3, Insightful
  
  Uhm but let's say we have good dog IE terminating the plugin for an overflow. IE won't be able to tell if it's accidental or malware at work, so it will throw a generic error or a warning at most, and terminate. The user really wants to see "supersexy.mov" so he may be tempted to download or get it from the browser's cache (people getting pr0n likely know about the cache). Or the user got the file by email or downloaded it with a spider. This time Quicktime player is invoked and blam, user is Pwned. So either all players must do bounds checking (inefficient) or it should be the OS, not the browser, the one who babysits processes.
  
  OTOH, babysitting probably takes up more resources so a paranoid OS will slow down. But IMHO the solution is still to taint dangerous stuff (what you got just downloaded) and have the OS babysit it.
  
  --
  ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
40. Re:And this is a firefox problem... by purpledinoz · 2007-11-27 11:00 · Score: 1
  
  There was pretty much one thing that broke the camel's back on iTunes. I updated to a newer version of iTunes after being nagged every time I plugged in my iPod, and now when I browse through the music on my iPod, it doesn't show me how much space is left on the iPod in the bottom status bar! WTF! That's probably the most useful stat about my iPod. Now I have to click on my iPod and switch to another screen to see how much space I have left. I can't wait until a REAL iPod killer comes out (none of this Zune BS)... I feel Apple has started to become complacent.
41. Re:And this is a firefox problem... by The+MAZZTer · 2007-11-27 11:03 · Score: 1
  
  So taking your logic further, the OS should be responsible for all of this, so it's not even Firefox's problem. ^_^
  Speaking of this, whatever happened to Singularity? I wanna fool with it!
42. Re:And this is a firefox problem... by segra · 2007-11-27 11:52 · Score: 2, Interesting
  
  This must be a windows/macos problem then! If they hadn't loaded Firefox, Firefox couldnt of loaded Quicktime!
43. Re:And this is a firefox problem... by Merusdraconis · 2007-11-27 11:56 · Score: 1
  
  Firefox seems to break half the time Quicktime runs. Because Firefox also breaks occasionally without Quicktime, and Quicktime on its own works quite well, I blame Firefox, as the product that appears to be less well-engineered.
44. Re:And this is a firefox problem... by holophrastic · 2007-11-27 12:09 · Score: 1
  
  That's what I was going to say -- late to the party I guess. The web browser -- in this case FF -- is responsible for taking remote content, and laundering it into local content. QuickTime is receiving locally-sourced content. The bug certainly exists, but it's not remotely-exploitable without the browser's action of importing the tainted content.
  
  As a web browser, FF shouldn't be imported tainted content without checking it.
45. Re:And this is a firefox problem... by Benaiah · 2007-11-27 12:48 · Score: 5, Informative
  
  People still use quicktime?
  Why? Just why?
  Every website that has a quicktime video, I just go straight to youtube and search for the equivalent.
  This is mainly due to the fact that the quicktime plugin traditionally hasn't been able to automatically install. You have to actually go to their website and install some adware filled crap that will never leave your system tray alone.
  
  *bends over ready for -5 apple bashing*
46. Re:And this is a firefox problem... by oskard · 2007-11-27 12:51 · Score: 1
  
  Chuck Norris round-house kicked every living soul who ever pondered over the glass.
  
  --
  Sigs are for Terrorists.
47. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 13:08 · Score: 0
  
  30 bucks and your problem is solved.
48. Re:And this is a firefox problem... by empaler · 2007-11-27 13:12 · Score: 1
  
  Isn't it the other way around?
  I've had QT crash my Ffx dozens of times, but never any problems with QT crashing IE. Which seems backward to me...
49. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 13:22 · Score: 1
  
  > The engineer says that the glass is twice as large as it needs to be.
  
  Or will EVER NEED to be...
50. Re:And this is a firefox problem... by Jesus_666 · 2007-11-27 13:34 · Score: 1
  
  Jack Bauer found out where the glass was, who drank the water, and which government they worked for.
  
  Miami's CSI team is still busy determining the water's pH level, checking the glass for DNA samples, upsampling a security recording of the glass to full HD quality, walking around in slow motion and taking off their sunglasses while making painfully dramatic remarks.
  
  Reults are expected in about two days, just in time to stop the half-emptyer from half-emptying another glass of water. And probably shoot him.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
51. Re:And this is a firefox problem... by Kalriath · 2007-11-27 13:47 · Score: 0, Redundant
  
  Exactly! You know what I meant there.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
52. Re:And this is a firefox problem... by onefriedrice · 2007-11-27 14:06 · Score: 1
  
  I don't think you'll get moderated poorly for anything you said, however it is quite ignorant. Look at what you said.
  
  > People still use quicktime?
  > ...
  > Every website that has a quicktime video, I just...
  
  So apparently you answered your own question. Yes, people still use Quicktime. A lot of people, actually. You may not, but many many still do because it has been and still is a good format.
  
  --
  This author takes full ownership and responsibility for the unpopular opinions outlined above.
53. Re:And this is a firefox problem... by VGPowerlord · 2007-11-27 14:23 · Score: 1
  
  A fix implies a problem. I would challenge the notion that it's up to any one app to manage another's buffers, unless that is the application's specific and express intent.
  
  Further, a fix to FF will NOT fix the problem (the exploit will still exist in QT), it will only fix it if FF acts as a container for plugins, something that's caused no end of pain from IE.
  
  I agree. Lets just hope that Apple doesn't turn around and blame Mozilla like Mozilla Corp. did to Microsoft when they had a similar problem.
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
54. Re:And this is a firefox problem... by dubbreak · 2007-11-27 15:27 · Score: 1
  
  The scientist says there is .3764666437 litres.
  
  I say you have big glasses! I've been looking for something to hold an entire bottle of la fin du monde, yours sounds like it could even fit some head!
  
  --
  "If you are going through hell, keep going." - Winston Churchill
55. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 15:32 · Score: 0
  
  Not to mention that implementation of Quicktime on the PC is kinda yucky anyways. (Designed pretty, but the software has always been buggy.) It's often that it seems to make my computer hang, lag, or crash the browser whenever an embed or object calls for it.
  
  The real problem is finding some decent players that would support the needed codecs and work with the browser besides QT and MediaPlayer. I'm a little partial towards VLC, but there's still too many gaps in regards to its browser plugin usefulness and supported codecs.
56. Re:And this is a firefox problem... by Blakey+Rat · 2007-11-27 16:17 · Score: 1
  
  Did you read the article? Firefox is the only (popular) browser susceptible to it. IE catches the overflow, and they couldn't reproduce the problem on Safari. Firefox isn't being "singled out", from the end-user perspective, Firefox is the only browser to be worried about.
  
  --
  Comment of the year
57. Re:And this is a firefox problem... by Lord+Flipper · 2007-11-27 16:36 · Score: 1, Insightful
  
  *bends over ready for -5 apple bashing*
  
  As an Apple user since 1979, all I can say is: You won't get bashed by me. I use VLC and MPlayer for just about everything except the wmv files that Flip4Mac handles as a QT plugin... heheh, using QT for Windows Media. The QuickTime Pro player on an adequate Mac, with the prefs set 'just right', is not a bad thing, but... when you absolutely want to playback anything (with minor exceptions), VLC is the way to go on the Mac.
  
  I've seen latest QT Pro, in Leopard, on 4 Macs here, 'kick' an mp3 on the grounds that it "Can't play this movie file type", and all I can say is, WTF? Not sure if that's all QT's fault, or it's getting an assist from the wonky Apple HFS+ (UNIX-incompatible) file system, but whatever... vive la France!
58. Re:And this is a firefox problem... by Z34107 · 2007-11-27 16:48 · Score: 1
  
  help me understand how it simply farming the request to an external app, where the external app has the security problem, is a firefox problem?
  
  Not a "Firefox Problem" per se, but surely an exploit that works on t3h f0x but not on IE is newsworthy.
  
  --
  DATABASE WOW WOW
59. Re:And this is a firefox problem... by kennygraham · 2007-11-27 17:34 · Score: 1
  
  The only things that pisses me off about iTunes is that newer versions sort numbers after "Z" instead of before "A". Does anybody know why they changed that? 311 shouldn't be the last artist on my list. I ended up switching back to v7.2.
60. Re:And this is a firefox problem... by genaldar · 2007-11-27 17:51 · Score: 1
  
  Remember when IE had a similar problem with links opening other browsers. I bet you blamed MS, but now that FF has a similar problem its a QT problem. I for one blame apple and not FF, but I didn't blame MS before so I'm not a hypocrite.
61. Re:And this is a firefox problem... by wolverine1999 · 2007-11-27 18:44 · Score: 1
  
  I don't feel the problem though I understand you.. perhaps I have enough memory so it isn't a problem...
  
  --
  SCIREV.NET - fanfics,reviews & more
62. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 19:10 · Score: 0
  
  Also note that you can grab both realAlternative and quicktime Alternative codecs so that these apps never load. I have both and it makes everything run a lot smoother.
  While I know that the name for the real player alternative is realAlternative, I'm not exactly sure what the quick time alternative is (though it's similarly named, if not exactly the same). You can get both from free-Codecs.com http://www.free-codecs.com/download/Real_Alternative.htm
63. Re:And this is a firefox problem... by slater86 · 2007-11-27 19:31 · Score: 1
  
  By the description given, they may as well blame Intel as well. It was their chipset that ran the code.
  
  --
  When people ask if I'm an optimist, I say "I hope so". --Bill Bailey
64. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 20:20 · Score: 0
  
  Hmmm.... so you'd be okay with Firefox farming off a bash script to bash without asking any questions?
65. Re:And this is a firefox problem... by Wiseman1024 · 2007-11-27 20:46 · Score: 1
  
  iBugs.
  
  Get hacked, with style.
  
  Now bundled with stylish sunglasses(*) for metrosexual classy fanboys.
  
  (*): You need to download Apple iTunes to put the sunglasses on.
  
  --
  I was about to say 13256278887989457651018865901401704640, but it appears this number is private property.
66. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 22:09 · Score: 0
  
  We all know websites happily use QuickTime, thanks to Apple's powerful marketing and strong position in digital publishing... but few savvy end-users bother with the inconvenience (that GP very aptly described; do you disagree with that detail?) -- hence YouTube to the rescue.
  
  Sure QT is technically one of the better formats out there, but how Apple goes about offering the viewing tools is just appalling -- almost feels like an intentional injury/insult to the non-OSX crowd who often prefer other players.
  
  I'm not sure if I have been trolled here, though.
67. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-27 23:29 · Score: 0
  
  And in other news, Firefox can be used to view kiddy porn.
68. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-28 00:31 · Score: 0
  
  Glass half empty, half full type thing. Of course, Quicktime is causing the problem, but would you rather have a browser that arbitrarily trusts the plugin, or does some bounds checking?
  
  And how would an application do bounds checking for an arbitrary plugin, when it has no idea what the size of the receiving buffer is?
  
  Imagine this:
  
  Plugin A needs at least 64 bytes to fill out all the required parameters.
  
  Plugin B has a buffer of 32 bytes, anything over that will cause a buffer overflow.
  
  Without knowing which plugin is which, how would you write a program to check the bounds of those two buffers? Hint: It cannot be done.
  
  Nope, not in IE either. But the article says... Yes, because IE is using a different interface, where IE supplies a fixed size buffer. IE will do bounds checking on *that* buffer. Nothing prevents the plugin from having a second buffer, which is smaller "We won't need more than 50 bytes - The Manager".
  
  So, why doesn't Firefox use such a buffer? Actually, it does. But this buffer is provided by the OS, and holds thousands of bytes. And still nothing prevents the plugin from using a smaller buffer. However, a bigger input buffer means that it is more likely that whatever arbitrary fixed buffer size someone decides on is smaller than the input buffer (simple math: There are very few positive values below 1. There are lots below 1,000,000. Thus the likelyhood of someone choosing a size below 1 is smaller than the likelyhood of someone choosing a size below 1,000,000).
69. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-28 01:29 · Score: 0
  
  The RDF seems to be messing with your perception. Firefox isn't perfect by any means, but Quicktime is a wretched pile of shit.
70. Re:And this is a firefox problem... by walt-sjc · 2007-11-28 01:36 · Score: 1
  
  I have a mac mini (dual core w/2G ram) setup as a home media machine. I was unable to create a mp4 video that quicktime could handle. Anyone know the magic incarnation (exact parameters) for mencoder that will create a mp4 video in the one limited sub-format that quicktime is able to handle? Mplayer handles just about everything I can throw at it.
  
  Why do I want this? Quicktime seems to use some hardware acceleration that mplayer does not because mplayer playback is frequently a little choppy where quicktime is flawless on the few videos I was able to play with it (hence the request above.) If I could get similar performance from mplayer, I would shitcan quicktime totally. Maybe I need to shitcan OS X totally and just install Ubuntu...
  
  Apple rant... Why oh why does quicktime SUCK at playing multiple file formats? You have only been doing this twice as long as the freeware mplayer team. Isn't multi-media at the CORE of everything you do?
71. Re:And this is a firefox problem... by sm62704 · 2007-11-28 01:55 · Score: 1
  
  I say you have big glasses!
  
  I like beer. LOTS of beer!
  
  --
  mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
72. Re:And this is a firefox problem... by The+Slashdot+Guy · 2007-11-28 03:32 · Score: 1
  
  Only if Ford didn't include those tires, only made it so you could use them if you chose to.
73. Re:And this is a firefox problem... by smellsofbikes · 2007-11-28 04:01 · Score: 1
  
  And the intelligent programmer has the other half of the water backed up in a glass in another room, preferably in another city in a fireproof safe.
  
  --
  Nostalgia's not what it used to be.
74. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-28 04:04 · Score: 0
  
  Isn't that the same argument Microsoft has made about many of their products, that third party software flaws are mainly the issue with their software being vulnerable? Something the MS-haters have never agreed with? Well well well, I guess when it comes back to biting you in the ass, you take the same position as Microsoft does.......just much much more resentful and protective.....
75. Re:And this is a firefox problem... by Volante3192 · 2007-11-28 04:05 · Score: 1
  
  But that's the point. It's a Quicktime bug; Firefox is just doing what it's supposed to and giving to QT. If you've got IE catching the overflow, or Safari, that means manhours were spent and lines of code added for stuff that lies outside the bounds of the browser.
  
  Why should Fox be on the ready for datastreams that QT handles wrong? Should we have Fox set up to keep an eye passed to every plugin? If companies have to start worring about handoffs to other plugins and programs, that increases their coding demand, adding the possibility for more bugs. At the extreme end, if everyone has to assume everyone else is the absolute worst coder in the world, then more bound checking will be done than actually making programs.
  
  Course, this goes into the realm of coding philosophy more than practicality.
76. Re:And this is a firefox problem... by Blakey+Rat · 2007-11-28 04:46 · Score: 1
  
  Why should Fox be on the ready for datastreams that QT handles wrong? Should we have Fox set up to keep an eye passed to every plugin?
  
  In this particular case, since Firefox's competitors do it, yes Firefox should also do it.
  
  Glad to have helped. ;)
  
  --
  Comment of the year
77. Re:And this is a firefox problem... by DOCmarkC · 2007-11-28 04:53 · Score: 1
  
  I say that there is half a glass of water....
78. Re:And this is a firefox problem... by Anonymous Coward · 2007-11-28 10:10 · Score: 0
  
  The engineer says the glass is 3/5 larger than it needs to be, because all engineers include 20% safety margin and keep half their water in this redundant glass over /here/.
79. Re:And this is a firefox problem... by Obsi · 2007-11-29 11:23 · Score: 1, Funny
  
  640 mL should be enough for anyone.
80. Re:And this is a firefox problem... by Q2Serpent · 2007-11-30 05:25 · Score: 1
  
  Some people feel the opposite. I'm happy with the way Firefox does things. If a plugin crashes, I'd rather have it isolated from the main application. I don't want Firefox crashing when a plugin makes a mistake just like I don't want Windows crashing each time an application makes a mistake. We've had virtual memory for a while now, and no one that I know of seems to think we ought to go back to the DOS memory model.
  
  If there is some flaw in Quicktime, and IE doesn't catch it for some reason, Quicktime now has access to the running IE image - which may or may not be as dangerous as what Quicktime has access to stand-alone, but it sure isn't cut-and-dry which one is better.
  
  A little noscript thrown in and my Firefox is more secure than your IE, simply because that malicious site can now DOS your web browsing.
Safari by u235meltdown · 2007-11-27 07:58 · Score: 0, Flamebait

ok, so I use Safari or Opera (if they handle this better) to browse porn for a while till they patch this
Oh noes by dedazo · 2007-11-27 07:58 · Score: 0, Flamebait

I felt a great disturbance in the Force... as if millions of fanboys suddenly cried out in terror and were suddenly silenced.

--
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
That does it for me... by skeftomai · 2007-11-27 08:00 · Score: 5, Funny

Man, I'm using IE from now on. It's WAY more secure...
1. Re:That does it for me... by Anonymous Coward · 2007-11-27 08:07 · Score: 0
  
  I know you said that jokingly, but while you can argue that IE is theoretically more secure but in practice Firefox is more secure because evildoers dont write exploits for firefox. If the shoe was on the other foot here and this exploit worked for IE but not Firefox you can bet there would be a million malicious web sites out there within a few days trying to take advantage of it. But since it only works for firefox this slashdot headline is probably the last time you will hear about it.
2. Re:That does it for me... by calebt3 · 2007-11-27 08:13 · Score: 1
  
  I don't know... ~12% of the market is still quite a large number of people.
3. Re:That does it for me... by Homology · 2007-11-27 08:15 · Score: 3, Insightful
  
  Man, I'm using IE from now on. It's WAY more secure...
  Funny that security is not touted as much as a feature anymore compared to the early Firefox releases.
4. Re:That does it for me... by El+Lobo · 2007-11-27 08:22 · Score: 0, Troll
  
  Actually, using IE7 on Vista in it's DEFAULT sandboxed mode will protect you from almost every 3rd party plugin problem.... So you ARE partially right. I use it my self IE7 sandoxed on Vista and have no intentions to change to whatever...
  
  --
  It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
5. Re:That does it for me... by KDR_11k · 2007-11-27 09:03 · Score: 1
  
  Especially when those people think nothing could possibly happen to them.
  
  --
  Justice is the sheep getting arrested while an impartial judge declares the vote void.
6. Re:That does it for me... by isorox · 2007-11-27 09:13 · Score: 2, Informative
  
  I don't know... ~12% of the market is still quite a large number of people.
  
  27% in europe, over 40% in some countries.
  
  http://www.xitimonitor.com/en-us/browsers-barometer/firefox-september-2007/index-1-2-3-110.html
7. Re:That does it for me... by bcat24 · 2007-11-27 10:40 · Score: 1
  
  Are you sure about that? Look at Mozilla's main Firefox page. What's the tagline? Oh, "faster, more secure, & customizable". What's spelled out in big letters with a checkmark next to it? How about this:
  Stay Secure on the Web
  
  Firefox continues to lead the way in online security, and now includes active protection from online scams to keep you safer. I'd say they're still pumping the security angle in their marketing stuff.
8. Re:That does it for me... by secPM_MS · 2007-11-27 11:27 · Score: 1
  
  I have been in security for > 20 years. If I wasn't paranoid to begin with, I certainly am now.
  I run Vista and Windows Server 2008 as a normal user, not as administrator. I use IE 7, protected mode, enhanced security configuration as my default browser. A few web sites go into my IE trusted sites zone.
  Since IE is so locked down, I also run FireFox with NoScript installed. I am very careful whose javascript I run. I have not installed plugins and I block Flash.
  Even if you get past my usage controls, I am still running as a normal user and do not have administrative rights. An attacker can blow my data, but can't compromise my system.
  Microsoft did a lot of work hardening its browser snap-ins for Vista.
  Since Adobe is building such a powerful platform on pdf, I use a much simpler pdf reader executable, which may have vulnerabilities, but is less likely to be targeted due to market share issues.
9. Re:That does it for me... by syousef · 2007-11-27 12:19 · Score: 1
  
  Man, I'm using IE from now on. It's WAY more secure...
  
  Damn. I thought I was safe. We need a new version of Firefox that dis-allows Quicktime. I vote we call it Pornzilla.
  
  --
  These posts express my own personal views, not those of my employer
10. Re:That does it for me... by skeftomai · 2007-11-27 16:46 · Score: 1
  
  Or we could just use Linux with mplayer :)
11. Re:That does it for me... by Anonymous Coward · 2007-11-27 16:55 · Score: 0
  
  An attacker can blow my data, but can't compromise my system. Damn.. that bastard nuked my documents.... ITS OK!!! kernel32.dll is fine !!
  
  Without any data, why would you need a computer?
  
  In security for 20 years eh? Nice...
12. Re:That does it for me... by Homology · 2007-11-28 05:58 · Score: 1
  
  Heck, even Microsoft touts Internet Explorer as secure ;-) The touting of Firefox's security by followers are quite less than there used to be, even on Slashdot.
How is this a firefox problem? by rminsk · 2007-11-27 08:01 · Score: 3, Insightful

So how is this a firefox problem? Firefox spawns off another process that has a flaw and it crashes. This process is completely outside of the memory space of firefox at this point.
1. Re:How is this a firefox problem? by Anonymous Coward · 2007-11-27 08:20 · Score: 2, Interesting
  
  How do so many people have a problem understanding this? It's simple:
  
  Non-Firefox browser: exploit fails to execute, instead protected by bounds checking
  
  Firefox: exploit executes unchecked
  
  How is that NOT a Firefox problem? If you don't use Firefox, you're immune. If you do, you're vulnerable. Even if the final cause is currently QuickTime, it's only a matter of time until some other plugin is found vulnerable and exploitable under Firefox but nowhere else.
  
  Besides, Firefox and IE use different plugin models. Apparently the flaw is with Firefox's plugin model - clearly a Firefox problem.
2. Re:How is this a firefox problem? by Anonymous Coward · 2007-11-27 08:27 · Score: 2, Insightful
  
  Because it is possible to have a better security model that doesnt spawn off another process.
  
  Kind of like how on an old operating system that doesnt have seperate address spaces it isnt the OSes fault if you run a program that brings down the entire system. But there is a better OS design they could have used that would have prevented that. Same thing here, there is a better browser design that would have prevented this.
3. Re:How is this a firefox problem? by Anonymous Coward · 2007-11-27 08:42 · Score: 2, Insightful
  
  Which is exactly the problem. It should not pass untrusted files to other trusted apps. It should keep it inside it's own buffer overflow protection bubble as IE does.
  
  If this was an IE problem, you know the tagging beta would be full of 'defectivebydesign' and 'haha' remarks. But this is Firefox, so all is forgiven.
4. Re:How is this a firefox problem? by ByOhTek · 2007-11-27 08:45 · Score: 1
  
  Firefox assumes that if a user installs a plugin, it is trustable, the others do not.
  
  The plugin (and the app itself) are where the flaw lies. Now, firefox could sandbox its plugins, at some arbitrary performance penalty, as it's rivals do, and that would certainly fix the problem from the FireFox pov.
  
  But the problem is still within QuickTime, and any other non-sandboxing app could be corrupted. One of the things I leanred in my computer science classes, is that if you have error checking at every level, your code will probably be secure, however, it will also be slow. In this case, the data stream is interpereted by Quicktime (by any browser), and thus the error checking should be handled by Quicktime.
  
  Now, we could argue that firefox should implement a per-plugin sandbox option (not a bad idea really), but even with that, there would still be a problem in Quicktime, and opening a stream that exploits the vulnerability in Quicktime would still work (even with Firfox patched. Fixing Quicktime would fix both applications.
  
  Put another way: Fix Quicktime, and every application that uses quicktime will be fixed. Fix the apps that call quicktime with sandboxing or other mechanisms, and you'll have a bunch of slower applications, and any application without the fix already applied, will still be broken - that includes Quicktime itself.
  
  --
  Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
5. Re:How is this a firefox problem? by Anonymous Coward · 2007-11-27 08:48 · Score: 0
  
  Some pro-firefox anti-ms mods around today. This guy explained it correctly. It is a problem with firefox, and IE does have a security model in place to stop such things. And yet he got modded flamebait. Whats up with that? I guess this is why so many people who are explaining why this is a FF problem are posting as AC.
6. Re:How is this a firefox problem? by thomas.galvin · 2007-11-27 09:18 · Score: 1
  
  So how is this a firefox problem? Firefox spawns off another process that has a flaw and it crashes. This process is completely outside of the memory space of firefox at this point. It isn't a Firefox problem. per se. Firefox did nothing but what was asked of it: call this user-specified external program to deal with a piece of data.
  
  Applications should be well-written and behaved, but we expect our OS to compensate for them when they are not. Browsers are evolving, becoming an operating environment unto themselves, and Firefox's competitors have taken a stance similar to the OS makers. Plug-ins should be well-written and behaved, but they'll take steps to minimize the damage caused by the ones that are not.
  
  And that makes it Firefox's problem, because Firefox is lacking a feature that other browsers provide. This kind of plug-in security is becoming a "best practice" of sorts, and Firefox should implement this feature to stay current.
  
  --
  Thomas Galvin
7. Re:How is this a firefox problem? by Slashdot+Parent · 2007-11-27 09:19 · Score: 1
  
  I dunno. IE users are not vulnerable. Firefox users are.
  
  Explain to me why the term "firefox" doesn't belong in the vulnerability writeup when only firefox users are exposed?
  
  --
  They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
8. Re:How is this a firefox problem? by Anonymous Coward · 2007-11-27 09:25 · Score: 1, Interesting
  
  So what you are saying, fundamentally, is that it's actually Windows which is to blame as it allows passes untrusted files from the Internet to Firefox.
  
  Shame on you Microsoft - defectivebydesign'
9. Re:How is this a firefox problem? by orclevegam · 2007-11-27 09:27 · Score: 0, Flamebait
  
  Ok, try this experiment then. Find one of these exploited QuickTime movies, open it in IE and watch it. Then, download and save the file on your computer, and open it using QuickTime (not unlikely, people often download copies of QuickTime movies to watch later). Congratulations, you've not been compromised, all while being "protected" by IE.
  
  --
  Curiosity was framed, Ignorance killed the cat.
10. Re:How is this a firefox problem? by orclevegam · 2007-11-27 09:32 · Score: 0, Flamebait
  
  It's a QuickTime problem, that can affect you if you use FireFox to browse QuickTime clips with. This does not make it a FireFox problem, just something that FireFox doesn't go out of its way to protect you from. If you download and play those movies you're still vulnerable to the exploit no matter what browser you use, so it's not an issue with any web browser, it's an issue with QuickTime. All the MS fanboys are just using this as an excuse to flame the FireFox fanboys, and then cry foul when people point out that it's not really the browsers fault that another app has a security flaw.
  
  --
  Curiosity was framed, Ignorance killed the cat.
11. Re:How is this a firefox problem? by Brandon30X · 2007-11-27 09:46 · Score: 1
  
  If you don't use Firefox, you're immune.
  
  Actually if you don't use quicktime you are immune.
  -Brandon
  
  --
  Quitters never win, Winners never quit, But those who never win and never quit are idiots.
12. Re:How is this a firefox problem? by Spy+der+Mann · 2007-11-27 10:14 · Score: 1
  
  Because it is possible to have a better security model that doesnt spawn off another process.
  
  As long as the other process isn't spawn with greater privileges, there's no problem, right? Oh... you're talking about Windows, where EVERYONE logs in with root privileges...
  
  Never mind then.
13. Re:How is this a firefox problem? by TrancePhreak · 2007-11-27 11:23 · Score: 1
  
  Fix QuickTime and QT will be fixed. Sandbox FF and ALL plugins will be fixed.
  
  --
  
  -]Phreak Out[-
14. Re:How is this a firefox problem? by pla · 2007-11-27 11:35 · Score: 1
  
  So how is this a firefox problem?
  
  Ah, you simply didn't take the blame-game quite far enough...
  
  See, if we can blame FireFox for flaws in 3rd party code it forks off, then we can also, by proxy, blame Windows for letting FireFox let the same buggy code run.
  
  It all balances out in the great karmic wheel of "Always Microsoft's Fault, Somehow".
15. Re:How is this a firefox problem? by InvisiBill · 2007-11-27 13:39 · Score: 1
  I dunno. IE users are not vulnerable. Firefox users are.
  
  Explain to me why the term "firefox" doesn't belong in the vulnerability writeup when only firefox users are exposed?
  
  Download the malicious file with IE. Don't play it inside IE, just save it somewhere.
  
  Double-click that file so that it opens in QuickTime.
  
  Add "Internet Explorer" to the vulnerability writeup.
  
  If you look at the Symantec article, the malicious file ran in the standalone QT app, not in a Firefox plugin. http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_FF.html
  
  It's really apples and oranges. In the IE test, the malicious file was running inside IE via the plugin. In the Firefox test, it was not running inside Firefox via a plugin. Since it wasn't running in a Firefox plugin, the test really doesn't say anything at all about Firefox or its plugin system.
16. Re:How is this a firefox problem? by Slashdot+Parent · 2007-11-27 13:49 · Score: 1
  
  Since it wasn't running in a Firefox plugin, the test really doesn't say anything at all about Firefox or its plugin system. Well, the fact that I am running firefox right now and I'm vulnerable to a remote code execution flaw, and I could close the flaw by running IE instead is really all that matters to me.
  
  Maybe I should check out IE7. I hear they have tabs now, and I'll be more secure.
  
  --
  They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
17. Re:How is this a firefox problem? by Blakey+Rat · 2007-11-27 16:28 · Score: 1
  
  I hate it when smart people reading Slashdot, people who are out there programming device drivers and creating huge server farms, have a complete and utter inability to think like a user of computers.
  
  From the user's perspective, Firefox crashed/was exploited. From the user's perspective, visiting the same page from IE or Safari doesn't result in a crash/exploit. Nothing else matters.
  
  Now you're right that the problem isn't in Firefox's code. Welcome to Microsoft's world, where most complaints about Windows problems are actually problems in someone else's code. Sorry, Firefox, it's tough but you'll just have to take the bad press on this one.
  
  I hate to think of what kind of IT systems people like you are creating without the ability to put yourself in a user's mindset. Actually, I already know because I've had to suffer through them: Lotus Notes and Oracle Apps.
  
  --
  Comment of the year
Quicktime - default??? by sundar_m77 · 2007-11-27 08:02 · Score: 1

>> if users have chosen QuickTime as the default player for multimedia formats hmm, Does anyone use quicktime as the default multimedia player?
1. Re:Quicktime - default??? by leoxx · 2007-11-27 08:36 · Score: 1
  
  Does anyone use the Quicktime player at all? What does it do that mplayer or VLC doesn't (besides having a terrible user interface and no support for Linux)?
2. Re:Quicktime - default??? by 47Ronin · 2007-11-27 10:17 · Score: 2, Insightful
  
  Of course. It comes with my Mac. It works well. I have the Perian, Divx, and Flip4Mac plugins so I can handle pretty much any codec, including FLV so I'm quite happy. It will also export pretty much anything. FAQ about QuickTime
  
  --
  Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
3. Re:Quicktime - default??? by Anonymous Coward · 2007-11-27 11:52 · Score: 0
  
  Quicktime seems to be the recommended Firefox plugin for most video mimetypes. When some video plugin is missing, Firefox often prompts to install Quicktime, so I think many people have it installed.
  
  It sucks, but there's no good alternative on XP. I tried the VLC plugin, it crashed instantly. Also I prefer not to use VLC (except for videos that won't play otherwise) because the UI is extremely clumsy. WMP plugin works decently but is unsafe (ASF), and I don't want to give Microsoft that much control. mplayer plugin isn't available for Windows AFAIK. Flash doesn't play anything other than FLV and MP4.
What version of Firefox? Or IE? by objekt · 2007-11-27 08:02 · Score: 1

Stupid, stupid, stupid summary.

--
-- Boycott Shell
1. Re:What version of Firefox? Or IE? by Lord+Aurora · 2007-11-27 08:05 · Score: 1
  
  FWIW, TFA doesn't mention it either, it just mentions the version of QuickTime that is affected. It would be safe to assume, then, that all versions of FF and IE should be considered. Better safe than hacked.
  
  --
  The heavens do not fall for such a trifle.
2. Re:What version of Firefox? Or IE? by calebt3 · 2007-11-27 08:07 · Score: 1
  
  This does not happen in IE. And it seems like this problem spans all versions of Firefox that open Quicktime as a separate process rather than as an internal plugin.
3. Re:What version of Firefox? Or IE? by Polysick · 2007-11-27 08:08 · Score: 1
  
  Since it's quicktime that's being exploited, it doesn't matter which version. It's because of the way IE and Safari have plugins for the quicktime files so the browsers just crash instead. FTFA they say that opening an email link or attachment would do the same thing.
4. Re:What version of Firefox? Or IE? by sm62704 · 2007-11-27 08:31 · Score: 3, Informative
  
  Better safe than hacked.
  
  No, better safe than CRACKED. When someone comes up with a hack for this, the problem is fixed.
  
  Don't you know where you are? This is slashdot, not the wall street journal. Hacking is when you turn your transistor radio into a fuzzbox or your lawnmower into a robot. Hacking is NOT "breaking into a computer system" you silly normal person.
  
  -mcgrew
  
  --
  mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
5. Re:What version of Firefox? Or IE? by Anonymous Coward · 2007-11-27 09:17 · Score: 0
  
  I think you're about ten years too late to reverse this change. Sorry.
6. Re:What version of Firefox? Or IE? by whitehatlurker · 2007-11-27 09:24 · Score: 1
  
  I agree with your assesment of the summary.
  The CERT Vuln. Note gives somewhat better information and workarounds than I have seen elsewhere. (Some places say, "just block port 554 and you're safe." Nope.)
  I would like to note that while the exploit released doesn't work on IE, Symantec notes that, with work, a new exploit could target IE. (And likely other browsers. As people have noted elsewhere - this isn't really a browser issue.)
  
  --
  .. paranoid crackpot leftover from the days of Amiga.
Does that mean... by gQuigs · 2007-11-27 08:02 · Score: 0

IE will crash? And Firefox won't, but quicktime will? I think that's what I would prefer. It's not Firefox's responsibility to secure all external programs on the computer. Even if they do have plug-ins in Firefox.
1. Re:Does that mean... by jerw134 · 2007-11-27 08:56 · Score: 1
  
  IE will crash, but your computer will be safe. Firefox won't crash, QuickTime will, and your computer will be owned. Is that really what you prefer?
2. Re:Does that mean... by hcmtnbiker · 2007-11-27 09:05 · Score: 1
  
  IE will crash? And Firefox won't, but quicktime will? I think that's what I would prefer. It's not Firefox's responsibility to secure all external programs on the computer.
  
  Simply put... NO. IE will not crash, the plug-in however will be unloaded for that instance. This isn't just about crashing the browser either, its a buffer overflow error and the article implies you can send some payload to the machine to be executed. But unless your running FF as root that really shouldn't be a big a problem.
  
  --
  If i had one dollar for every brain you dont have, i would have $1.
3. Re:Does that mean... by I'm+Don+Giovanni · 2007-11-27 09:49 · Score: 1
  
  "But unless your running FF as root that really shouldn't be a big a problem."
  
  Yah, trashing your home directory and/or having private data uploaded from the home directory is no big deal. /sarcasm
  
  --
  -- "I never gave these stories much credence." - HAL 9000
4. Re:Does that mean... by Blakey+Rat · 2007-11-27 16:36 · Score: 1
  
  But unless your running FF as root that really shouldn't be a big a problem.
  
  Oh yeah, it just has full access to your home directory and all your important files. Sure, it'll delete your income tax returns for the past 6 years, but that really shouldn't b a big problem.
  
  Cripes, when will Linux get it in their thick heads that the user data is the valuable data? It takes a couple hours to reinstall an OS, my personal writings are literally unreplacable. Other documents are replacable only though months of document scanning and re-typing.
  
  Microsoft gets it with Shadow Copy, and Apple gets it with Time Machine, when will Linux get it? (And not just get the technology, but get the concept and stop telling users there's nothing to worry about if the malware doesn't have admin access?)
  
  --
  Comment of the year
Again? by Anonymous Coward · 2007-11-27 08:03 · Score: 0

Wasn't this fixed just few months ago? IIRC there was some quicktime flaw in FF a while ago and it got fixed. Or is this new bug?
1. Re:Again? by Anonymous Coward · 2007-11-27 08:05 · Score: 0
  
  Die in a fire, fucktard. What are you doing posting if you have no clue what you're saying?
2. Re:Again? by Anonymous Coward · 2007-11-27 08:13 · Score: 0
  
  What's your problem? Go back to your parent's basement and grow up.
Apple software not secure. by Anonymous Coward · 2007-11-27 08:04 · Score: 4, Insightful

So how many of these examples do we need to demonstrate that Apple software is not secure, and is only less exploited because it's less popular?
1. Re:Apple software not secure. by Bryansix · 2007-11-27 08:07 · Score: 0
  
  So how many of these examples do we need to demonstrate that Apple software is not secure, and is only less exploited because it's less popular?
  Quoted for Truth.
2. Re:Apple software not secure. by Brainix · 2007-11-27 08:49 · Score: 1, Insightful
  
  Really? Where are the gozillion iTunes exploits? Or is iTunes "less popular" too?
  
  --
  Raj Against the Machine! http://social-butterfly.appspot.com/
3. Re:Apple software not secure. by Anonymous Coward · 2007-11-27 09:15 · Score: 2, Insightful
  
  Its more that itunes isnt opening untrusted files and connecting to untrusted servers. I guess you could consider mp3s to be untrusted, but most of them come from apple's servers so its not like you are downloading them from some random guy in russia.
4. Re:Apple software not secure. by Anonymous Coward · 2007-11-27 09:25 · Score: 1, Informative
  
  Don't want to feed the troll but your logic is complete garbage. In recent memory, I can't recall hearing about a significant amount of security exploits for quicktime - certainly not more than Windows Media Player. Let's also ignore how long it takes a software vendor to fix the original bug. But yes - let's take 1 quicktime flaw to generalize that Apple products are insecure.
5. Re:Apple software not secure. by the_humeister · 2007-11-27 09:44 · Score: 1
  
  Here you go: http://www.google.com/search?hl=en&q=itunes+exploits&btnG=Google+Search
6. Re:Apple software not secure. by _Sprocket_ · 2007-11-27 10:48 · Score: 1
  
  So how many of these examples do we need to demonstrate that Apple software is not secure, and is only less exploited because it's less popular? Try - one. This isn't it.
  
  This does show that Apple provides no magic bullet; Apple can (and does) put out crap code. If you think buying / using Apple software means never having to worry about bugs (and consequently exploits) then you've been deluded.
  
  What this doesn't do is settle why Apple's bugs don't become fertile ground for malware. In fact, since this particular exploit isn't (yet) actively used in the wild it doesn't even enter the debate. But then it's only a matter of time. Industrious malware coders are undoubtedly updating their code. We'll see what platform(s) they target.
  
  I understand the sentiment. I even agree that there is some logic behind the idea - akin to "low hanging fruit". I'm just not buying that it is the be-all and end-all to the issue as some like to make it.
  
  We already have examples where malware targeted specific subsets of Windows users. The Witty Worm is one rather interesting example (targeting only IIS customers running specific security products). But why just subsets of Windows? If other subsets of IT (such as Macs) offered easy targets, why wouldn't malware authors target them? Be assured they do - just not often and not successfully.
7. Re:Apple software not secure. by Anonymous Coward · 2007-11-27 13:40 · Score: 0
  
  What rock have you been living under? http://www.googlefight.com/index.php?lang=en_GB&word1=quicktime+exploit&word2=%22windows+media+player%22+exploit
8. Re:Apple software not secure. by Anonymous Coward · 2007-11-27 14:22 · Score: 0
  
  Score:5, Insightful? For a red herring ("how many of these examples do we need..."), a gross generalization (QT bug == all Apple software is chock full of bugs) and an appeal to statistics?
  
  Where's this guy gonna be, I wonder, if a show-stopping Amarok bug hits CNet's front page? How many examples of such bugs do we need to demonstrate that all software is not inherently secure?
If Just A Simple Buffer Overflow by Nom+du+Keyboard · 2007-11-27 08:04 · Score: 1

If it's just a simple buffer overflow, then shouldn't execute disable (NX bit for AMD, XD for stupid Intel who won't follow established standards) bit catch it for XP SP2 and other systems?

--
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
1. Re:If Just A Simple Buffer Overflow by Anonymous Coward · 2007-11-27 10:06 · Score: 1, Interesting
  
  Not necessarily. NX makes some exploits harder, but only really starts becoming a major obstacle in conjunction with randomised address space and stack canaries. Even with all that, some overflows are still exploitable.
2. Re:If Just A Simple Buffer Overflow by benjymouse · 2007-11-27 10:21 · Score: 1
  
  The NX flag is set on a per-process basis. The application launching the process has to set the flag for it to be effective. Not all processes running in XP SP2 or Vista runs with NX for compatibility and/or performance reasons. IE seems to set this flag (or simulate it using stack canaries), while FF apparently does not.
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
3. Re:If Just A Simple Buffer Overflow by Nom+du+Keyboard · 2007-11-27 10:59 · Score: 1
  
  performance reasons.
  
  How does NX affect performance? I've not heard of any performance hit for using it, unless it's interrupting all the time due to attempts to execute data.
  
  --
  "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
4. Re:If Just A Simple Buffer Overflow by Anonymous Coward · 2007-11-27 11:25 · Score: 0
  
  By default, NX is only enabled on Windows for software that comes with the operating system. That means that IE has it enabled, while QuickTime does not.
  
  Frankly, this is stupid. No other OS does it this way - Mac OS X, for example, has NX enabled for all programs. Linux implementations have NX enabled for all programs except those containing the "disable NX" flag in the ELF header. In all cases, an application can mark a page of RAM as executable if required.
  
  The only programs I've seen affected by enabling NX in Windows for all software are emulators. Everything else works fine.
5. Re:If Just A Simple Buffer Overflow by benjymouse · 2007-11-27 11:43 · Score: 1
  
  If NX is hardware supplied there is apparently no significant overhead. In that case the concern would be compatability. However on architectures where NX is not hardware supported it is emulated, which as I understand, can have considerable overhead.
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
QuickTime == Java by Anonymous Coward · 2007-11-27 08:04 · Score: 1, Insightful

QuickTime is about as useful as java. A 'quick' 125Kb download, to install about 50Mb of crap on my system, and a damn useless
taskbar icon, using valuable desktop space, just to tell me, yay! you have QuickTime installed!

I make it a habit to simply not view quicktime content, it's usually not worth my 'time' quick or not.
Troll -1 by dgr73 · 2007-11-27 08:05 · Score: 4, Funny

"Quicktime bug!?! Oh sweet Joseph of Arimathea!!!! Quick, inform the users.. YES BOTH OF THEM!"
1. Re:Troll -1 by steelfood · 2007-11-27 08:43 · Score: 1
  
  The interesting thing is, while Quicktime might not have two users, as an embedded player for online media, it has largely been supplanted as the defacto online media player and format by flash and flash videos. It seems while Quicktime's use might not be declining, it hasn't been gaining either even while online videos grow ever-more popular. The same could be said for WMV.
  
  Not that it matters, as all it takes is one bad site with an embedded malicious video...
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
mild oops by objekt · 2007-11-27 08:05 · Score: 1

Summary mentions IE 6/7 but what about Mac? No IE 6/7 there.
I use Safari for most browsing and I just upgraded my Firefox to 2.0.0.10

--
-- Boycott Shell
Safety through laziness. by backbyter · 2007-11-27 08:06 · Score: 0, Troll

QuickTime?

Haven't installed that in several years.
1. Re:Safety through laziness. by njfuzzy · 2007-11-27 08:16 · Score: 2, Insightful
  
  If you have a Mac, then you have QuickTime. If you have iTunes, then you have QuickTime. That may not apply to you, but its fair to say it covers a huge chunk of marketplace overall. (I believe people who download Safari 3 Beta for Windows, and Bonjour for Windows, also have QuickTime by default, but they are bound to be a very small group.)
  
  --
  My Photography - http://ian-x.com
  The Deathlings (comic) - http://thedeathlings.com
2. Re:Safety through laziness. by backbyter · 2007-11-27 08:40 · Score: 1
  
  No Mac; Didn't bother to learn how to use that one button mouse.
  
  No iTunes; Didn't bother to expend the energy to have my favorite music follow me where ever I go. (As a charter member of the "Ole Fuddy Duddy" group, I kinda like the quiet.)
  
  No Safari, and I couldn't tell you what Bonjour was.
  
  I'm pretty sure QuickTime is not on any machine I own. Unless that OLPC I ordered for my niece has QT installed. I'd check, but you know, that would mean I'd have to open the package, start the computer, etc... :)
3. Re:Safety through laziness. by njfuzzy · 2007-11-27 10:23 · Score: 1
  
  I believed you. I just thought it might be pointing out that your anecdotal commentary wasn't particularly relevant, since a huge number of people do have QuickTime installed.
  
  --
  My Photography - http://ian-x.com
  The Deathlings (comic) - http://thedeathlings.com
Because of the end appearance by Sycraft-fu · 2007-11-27 08:06 · Score: 4, Insightful

When you use QT in Firefox, it appears in the FF window itself, it in a very real way seems to be part of FF. We aren't talking about opening a file that ten spawns another app, we are talking about opening something embedded in a page itself. As such FF is the one that is going to get blamed. Also, one can argue, they should share some of the blame. If you are loading a plugin in your app, perhaps you should load it in such a way that your app can keep control over it. Seems that the other browsers do this.

So while it isn't FF's responsibility to fix the specific bug, it could be an indication of how things should be done better.
1. Re:Because of the end appearance by el_chupanegre · 2007-11-27 10:34 · Score: 1
  
  If you are loading a plugin in your app, perhaps you should load it in such a way that your app can keep control over it
  Firefox does do this to an extent. If I load a Flash page and the page is unresponsive, I get a dialog box saying 'This Flash script is unresponsive, do you want to abort it?' or something, same with Javascript that might get stuck in an infinite loop or something. I know this isn't the same as Java or Quicktime etc, but FF does take this into consideration in some sense. I don't think you can blame FF (or indeed any browser) even partly for this one, Apple screwed up.
MOD Parent Funnt by Bryansix · 2007-11-27 08:10 · Score: 2, Insightful

Cause that is what his post is.
The real shame! by Kylere · 2007-11-27 08:21 · Score: 1, Troll

Anyone smart enough to use Firefox should also be smart enough not to use Quicktime. Quicktime is an excellent example of poorly written software, if it were not for complete trash like WMP no one would use it. Everyone sane uses VLC anyways.
1. Re:The real shame! by phoebusQ · 2007-11-27 08:26 · Score: 1
  
  Many of you seem to be under the strange impression that QuickTime itself is a media player.
2. Re:The real shame! by wanderingknight · 2007-11-27 13:31 · Score: 1
  
  Everyone sane uses VLC anyways. Everybody truly sane wouldn't use a media player with such a crappy (not to say non-existent) soft subtitles support. VLC sucks big time due both to that and the crappy user interface. Give me mplayer (or MPC/Zoom Player/TCMP + CCCP if you're on Windows) and voilá, all the problems are gone.
3. Re:The real shame! by StupidKatz · 2007-11-27 19:49 · Score: 1
  
  The Core Media Player had (what I considered to be) serious flaws in its support of certain older operating systems (or perhaps just in general), and their customer service in that regard was less than stellar. As a paying customer (I guess I still am, since I'd already bought the thing), I figured that VLC's flaws were more bearable at the time.
  
  Much like how Firefox's (Phoenix's?) were more bearable than Opera's, circa version five.
  
  CCCP, OTOH, is quite, quite nice. :)
Firefox 3b? by RSA7474 · 2007-11-27 08:26 · Score: 0

Does Firefox 3 handle Quicktime and an internal plug-in? I think it does now..

Quick fix: Download VLC player and it use as the default media player for Firefox..
MOD Parent Stupif by Anonymous Coward · 2007-11-27 08:30 · Score: 0

Because that is what his post is.
1. Re:MOD Parent Stupif by sm62704 · 2007-11-27 08:34 · Score: 1
  
  Yes, but stupid is very often funny, as the post was.
  
  --
  mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
Can someone explain the top of this Slashdot page? by Seumas · 2007-11-27 08:31 · Score: 0, Offtopic

Top right, in the links section for this page.

"Compare prices for Mozilla".

Uh . . . .
Re:MOD PARENT UP by Anonymous Coward · 2007-11-27 08:32 · Score: 0

You mean tying it directly into the OS?
Design for maliciousness by PhxBlue · 2007-11-27 08:34 · Score: 3, Insightful

Software should be pessimistic. Design the code to handle incoming requests as potentially malicious, and you'll never be disappointed.

--
!#@%*)anks for hanging up the phone, dear.
1. Re:Design for maliciousness by Anonymous Coward · 2007-11-27 11:44 · Score: 0
  
  Bingo. And especially true for Internet software. Browsers and their plugins should be paranoid as hell.
Phew by lluBdeR · 2007-11-27 08:39 · Score: 2, Insightful

Man am I glad my system seems to deal with this problem proactively: The Quicktime plugin crashes anything that contains it almost as soon as it's drawn!

Thank you Apple for protecting me from, well, Apple!
Alternative? by rickatnight11 · 2007-11-27 08:43 · Score: 1

Any word on how this affects Quicktime Alternative or QTLite as they are based on the Quicktime code?
Re:security through instability by fluffy99 · 2007-11-27 08:46 · Score: 1

What like FireFox doesn't crash and burn anytime a plug-in misbehaves? FF is worse than IE in that regard, especially with plugins like Adobe Acrobat reader. Isn't the FF fanclub party line that instabilities and crashes are caused by misbehaving extensions and plug-ins.
The reasone why it is Firefox's problem... by NavyTim · 2007-11-27 08:56 · Score: 1

is because they notified Apple and Steve Jobs said it was. Period. Steve has spoken.

--
Navy Tim www.navytim.com
1. Re:The reasone why it is Firefox's problem... by PhxBlue · 2007-11-27 09:56 · Score: 1
  
  But Chuck Norris uses Firefox, and Chuck Norris says it's Steve Jobs' problem.
  
  --
  !#@%*)anks for hanging up the phone, dear.
A bigger problem by 0123456 · 2007-11-27 08:59 · Score: 5, Insightful

Is that there's apparently no way to simply disable a plugin in Firefox. In order to completely disable Quacktime I've had to go through various plugin directories physically deleting the files, and next time I have to update it all the bloody plugins will be back again.

Why can't about:plugins just have a 'disable' box on each plugin? Or, better yet, a standard preferences menu list which just lets me disable them there and then?
1. Re:A bigger problem by post.scriptum · 2007-11-27 09:30 · Score: 5, Informative
  
  You can disable plugins in Firefox 3.0 beta 1.
2. Re:A bigger problem by Anonymous Coward · 2007-11-27 09:31 · Score: 0
  
  Happily, Firefox 3 will enable plugin disabling. See Beta 1.
3. Re:A bigger problem by Anonymous Coward · 2007-11-27 09:50 · Score: 0
  
  Firefox 3 (beta) has a much improved plugin manager that actually allows you to do things.
4. Re:A bigger problem by 0123456 · 2007-11-27 09:50 · Score: 1
  
  Thanks for the info; sounds like they've noticed the problem themselves!
5. Re:A bigger problem by Deanalator · 2007-11-27 09:51 · Score: 1
  
  noscript now lets you approve or deny certain plugins based on domain. As of 1.1.8.3 it only specifies between flash, silverlight, java, and "others", but it is a good start :-)
6. Re:A bigger problem by Anonymous Coward · 2007-11-27 14:49 · Score: 0
  
  You can disable plugins in the mysterious future.
  Fixed.
7. Re:A bigger problem by Anonymous Coward · 2007-11-27 17:21 · Score: 0
  
  God bless the writers of NoScript, it's the perfect workaround to this problem. One checkbox, and even trusted sites need to have the video window clicked to play.
8. Re:A bigger problem by Myen · 2007-11-27 18:57 · Score: 2, Informative
  
  Unfortunately, for this particular exploit that would have no bearing. The whole point was that Firefox couldn't use plugins for links to unknown protocols (in this case, rtsp://) and therefore launches the system default protocol handler (though I do recall there was a warning with a "don't tell me again" checkbox)
  
  As far as the Firefox side was concerned, there was no plugin. It's the standalone app that's being exploited.
So that's why by Gr8Apes · 2007-11-27 09:04 · Score: 1

So that's why FF updated by 3pm.

--
The cesspool just got a check and balance.
Poor Dialog by phantomcircuit · 2007-11-27 09:11 · Score: 1

I just went to change the way that files are handled by Firefox as a work around.

The dialog requires that each file type be individually changed.

This would seem to be a VERY poor design.
Symantec is wrong... by Anonymous Coward · 2007-11-27 09:16 · Score: 4, Informative

http://erratasec.blogspot.com/2007/11/apple-quicktime-rtsp-update.html
http://erratasec.blogspot.com/2007/11/new-rtsp-quicktime-flaw-affects-both.html

Standard buffer overflow protection doesn't work, Symantec was wrong. It seems that parts of Quicktime are not enabled for ASLR making these attacks possible.
1. Re:Symantec is wrong... by makomk · 2007-11-27 09:43 · Score: 2, Informative
  
  Someone please mod parent up. Basically, there are two aspects to this:
  1) Someone has apparently figured out a way to launch the exploit that avoids the protection works correctly in Internet Explorer
  2) QuickTime (and its libraries) are not marked to allow ALSR, which would make this much harder to exploit.
Website's fault by nbucking · 2007-11-27 09:19 · Score: 2, Insightful

This problem's principle fault lies with Apple. But it seems that they are sitting on their asses because it seems to be a problem that has been around for awhile. So those websites that use quicktime should use flash player, media player, or realplayer. Heck I have gotten video lan to take care of them all but those who do not want the trouble should blame the stupid websites. As far as I am concerned about firefox not handling apple's screwup as well as the other browsers it is scary. Yet if quicktime is broken then even if you use the other browsers then it simply does not matter, you still have DoS.
MOD PARENT UP by Bob-taro · 2007-11-27 09:24 · Score: 1

If it's just a simple buffer overflow, then shouldn't execute disable (NX bit for AMD, XD for stupid Intel who won't follow established standards) bit catch it for XP SP2 and other systems?
Good question. I was thinking the same thing. Someone mod parent up ... and can anyone provide an answer?

--
Prov 9:8 Do not rebuke mockers or they will hate you; rebuke the wise and they will love you.
The only thing worse... by etiam.maior · 2007-11-27 09:31 · Score: 2, Informative

The only thing worse than QuickTime is RealPlayer. Both are asstastic pieces of shit that are NOT, under any circumstances, allowed on any of my machines.

This is Apple's screwup in its code. Could FireFox handle it differently? Sure. But it ain't the code that they wrote that is the problem here.

--
Angry Network Admin
Firefox flaw news... by MeMeMeMe · 2007-11-27 10:27 · Score: 1

Brought to you by Microsoft....
Well hello there Truman Show! by Anonymous Coward · 2007-11-27 10:33 · Score: 0

Guess what I saw before I opened Slashdot just now? Exactly:
You've Been Updated to the Latest Version of Firefox.
This update will make you safer online.

Yeah...right. Other than that I agree with the people who said that it's not a Firefox problem.
which begs the question... by Cyko_01 · 2007-11-27 10:53 · Score: 1

Is FireFox ready for mass adoption?
The answer is Mplayer by pugugly · 2007-11-27 10:54 · Score: 1

I'm been on Ubuntu for six months or so (Linux for wimps like me - and there was much rejoicing!), But the best thing I had for Media on XP is Mplayer.

I've have strongly disliked Quicktime for a long time, because it sticks it's little fingerprints into things worse than anything I've ever seen that's not from Redmond. I ripped my XP configuration out with Nlite, and setup my install CD with registry keys that hook everything to Mplayer. Short, sweet, runs everything that's not encrypted, and it doesn't try and grab everything in the world like Quicktime does. Setting up the original registry keys took a bit, but it works great, runs easy, low profile, and everything you want to do can be done from command line switches.

You can make a strong argument for VLC, if you need the options it gives (Or really can't stand having a command prompt popped up and want a GUI), but for simple ease of use - use Mplayer.

Pug

--
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
Firefox already patched by Cyko_01 · 2007-11-27 11:12 · Score: 3, Interesting

if you are using 2.0.0.10 or later then you should already be protected against this exploit. THAT is why firefox is still the best browser available
1. Re:Firefox already patched by Myen · 2007-11-27 19:02 · Score: 2, Interesting
  
  Really? it doesn't seem to be listed. Got a bugzilla bug #?
2. Re:Firefox already patched by LuniticusTheSane · 2007-11-28 03:08 · Score: 1
  
  Hell if you are using 2.0.0.7 or better you are safe, this was patched days before this news was posted.
quicktime alternative? by Anonymous Coward · 2007-11-27 11:45 · Score: 0

what about quicktime alternative, is this affected as well?
Quicktime is the FF plugin from hell by caitsith01 · 2007-11-27 11:46 · Score: 4, Informative

1. Quicktime doesn't ask whether you actually want to install the browser plugin when you install the QT player

2. You HAVE to install Quicktime if you want to use iTunes

3. You (sort of) HAVE to install iTunes if you want to use an iPod (although I strongly recommend people consider Winamp, which has native support now, or the excellent ml_ipod plugin for Winamp)

4. Quicktime's browser plugin commandeers associations with a whole range of media types whether you want it to or not

5. QT doesn't give you the option of launching QT in a totally separate window - it automatically opens things embedded in the browser and starts playing them

6. QT seems to totally screw the ability to get Firefox to go back to launching media files with the good old "Open with..." dialog box, which lets you decide whether to open it, what to open it with, or whether to save it to disk

7. QT has absolutely no regard for what other media players and file association you might already have configured for your browser

and I guess we can add 8, although it was already implied

8. QT is a buggy p.o.s. with worse functionality and security than any half-decent media player including VLC, Winamp, and (in my humble opinion) even the dreaded WMP.

All of this reflects Apple's horrible attitude to developing software for the PC, which is essentially that they will utterly ignore the now well-established conventions of the platform in terms of installation behaviour, GUI and menu structure, and plugin behaviour and just run roughshod over the whole thing. Which would probably be more acceptable if their software JUST WORKED and was as fully featured as other options on the PC - but unfortunately that is not the case.

--
Read Pynchon.
1. Re:Quicktime is the FF plugin from hell by onefriedrice · 2007-11-27 14:30 · Score: 1
  
  > 2. You HAVE to install Quicktime if you want to use iTunes
  
  Yeah, that is annoying. They toyed around with the idea of making Quicktime optional, but they didn't like the idea of iTunes not being able to do kind of important stuff once it's installed like, I dunno... play music?
  
  Weird huh?
  
  --
  This author takes full ownership and responsibility for the unpopular opinions outlined above.
2. Re:Quicktime is the FF plugin from hell by caitsith01 · 2007-11-27 16:45 · Score: 2, Insightful
  
  Yeah, that is annoying. They toyed around with the idea of making Quicktime optional, but they didn't like the idea of iTunes not being able to do kind of important stuff once it's installed like, I dunno... play music?
  
  Weird huh?
  
  Yeah, because without Quicktime installed in Windows it is simply not possible to do kind of important stuff like, I dunno... play music, is it?
  
  Microsoft better make it part of the default Windows install pronto to give millions of users worldwide the ability to actually play music for the first time ever.
  
  Of course, that old version of iTunes which didn't require Quicktime and didn't play music was a bit pointless, too.
  
  --
  Read Pynchon.
3. Re:Quicktime is the FF plugin from hell by Zebedeu · 2007-11-27 21:34 · Score: 1
  
  Exactly. There was a time where you could install iTunes without quicktime.
  Then some marketing genius at Apple started seeing all those downloads for iTunes without quicktime, and decided to bundle the install files, though you could still decompress the bundled .exe and install iTunes separately.
  Now it's still possible to decompress the file, but iTunes will cry like a little girl if you don't install quicktime.
  
  At least that was the situation last year when I got fed up with Apple's antics and installed songbird, and later, winamp (songbird's new beta broke a lot of stuff). I just wish someone would port banshee over so I could have a decent music player at work.
Quicktime is popular?! by patiodragon · 2007-11-27 13:07 · Score: 1

The 90's called, they want their latest fad back.
RT2FA: It's NOT a Firefox plugin issue by InvisiBill · 2007-11-27 13:15 · Score: 3, Informative

How do so many people have a problem understanding this? It's simple:

Non-Firefox browser: exploit fails to execute, instead protected by bounds checking

Firefox: exploit executes unchecked

How is that NOT a Firefox problem? If you don't use Firefox, you're immune. If you do, you're vulnerable. Even if the final cause is currently QuickTime, it's only a matter of time until some other plugin is found vulnerable and exploitable under Firefox but nowhere else.

Besides, Firefox and IE use different plugin models. Apparently the flaw is with Firefox's plugin model - clearly a Firefox problem.
The headline should read "Vulnerability in QuickTime. IE mitigates attacks via its QT plugin. Firefox doesn't fix problem in QT."

Per the Symantec article, the issue as related to Firefox is not with a plugin. The article states that QuickTime is run as a plugin inside IE and Safari. The vulnerable software is run inside the browser, and thus falls under the browser's control. http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_IE.html shows this. However, in the case of Firefox, QuickTime is run as a standalone app outside the browser. See http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_FF.html. In this case, Firefox gets Item A and sees that the system is configured to handle that type of item with Program B. Therefore, Firefox hands Item A to Program B. It works exactly the same as launching the malicious file from the Run box.

Once again, it is not a problem with Firefox's plugin system because this is not running as a Firefox plugin. Let me correct your quote. See how that makes it a little less cut and dried?
Non-Firefox browser: exploit fails to execute inside browser plugin, instead protected by bounds checking
Firefox: exploit executes unchecked completely outside of Firefox

If there were a vulnerability in your email or FTP program, would you blame Firefox because it hands off mailto: and ftp: links to those external programs? Should Firefox be held responsible for malicious files (of any type - Word, MP3, .exe, etc.) that you download and then run externally? The Symantec article also mentions emailing attachments as an attack vector. Uh oh, Outlook and Thunderbird are also flawed, because they hand the file off to QuickTime to open too!

Also, judging by the IE pic, it appears that their "buffer overrun protection" is "crashing the browser". In this case, the QT vuln is also a DoS against IE, while Firefox does not have that vulnerability.

I agree that every program should do what it can to limit damage. However, Firefox can't do much about completely external programs. In this case, Firefox has no understanding of the data being downloaded, just that the system is configured to handle the data with a certain program. The only way to fix this is with filename/URL blacklisting so it doesn't open the bad URL (gee, that's practical) or by coding Firefox to understand every type of data it encounters. Essentially, code every other program into Firefox itself so that it can determine if the data is good or bad before handing it off (gee, that's practical). If this were a problem with a Firefox plugin, I would agree with you fully. However, it's a completely external program which Firefox has no control over, so I can't disagree more.
1. Re:RT2FA: It's NOT a Firefox plugin issue by tmalone · 2007-11-27 15:57 · Score: 1
  
  My questions is, what happens if you don't install the IE plugin when you install Quicktime? Does IE then hand the file off to regular quicktime, thus allowing the attack to proceed? Does IE7 have some system in place to only allow filetype handlers that are plugins? Or does it also manage external programs that it executes? Just curious.
Your initial premise is incorrect by InvisiBill · 2007-11-27 13:27 · Score: 1

When you use QT in Firefox, it appears in the FF window itself, it in a very real way seems to be part of FF. We aren't talking about opening a file that ten spawns another app, we are talking about opening something embedded in a page itself. As such FF is the one that is going to get blamed. Also, one can argue, they should share some of the blame. If you are loading a plugin in your app, perhaps you should load it in such a way that your app can keep control over it. Seems that the other browsers do this.

So while it isn't FF's responsibility to fix the specific bug, it could be an indication of how things should be done better.
No, the testing done in the article was not embedded inside the Firefox window. It did indeed spawn a completely separate app. http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_FF.html

Apples and oranges here. The plugin inside IE is protected via IE's features. The standalone app outside Firefox, as expected, is not protected by any features of Firefox.

I don't know why it's run as a standalone app rather than as a plugin inside Firefox. Perhaps they didn't install the Netscape plugin or it's misconfigured. Perhaps Apple did a poor job of coding the Netscape plugin and it can only support some features, and has to pass other stuff out to the external program. But as it stands, Symantec's results on Firefox have nothing to do with Firefox's plugin system.
1. Re:Your initial premise is incorrect by Almahtar · 2007-11-27 16:12 · Score: 1
  
  I don't know why it's run as a standalone app rather than as a plugin inside Firefox. It's run in a separate process so if a plugin crashes your FireFox process won't get halted by the OS for a seg fault or whatever. This way a plugin can't crash your browser.
2. Re:Your initial premise is incorrect by Myen · 2007-11-27 18:49 · Score: 1
  
  It appears that they're clicking on an rtsp:// link. Since Firefox uses NPAPI, which as far as I can tell is too dumb to handle protocols (it's all content-type/file extension based), Firefox gives up and asks the OS to handle it. Which invokes separate processes.
  
  Had the link been a application/x-rtsp (*.rtsp,*.rts) [1] file, it would be in a plugin (and therefore in the same process). Not that it would necessarily help... Firefox 2 and earlier are built with MSVC6, and it looks like IE was safe because it was VC8 (with more security checks). You'd want Firefox 3 betas for what little protection that might provide.
  
  For an equivalent with the WMP plugin, mms:// vs *.asx.
  
  [1] I just found some random thing in about:plugins that my copy of the quicktime plugin claims to support.
Slippery slope. by SanityInAnarchy · 2007-11-27 13:37 · Score: 1

If you are loading a plugin in your app, perhaps you should load it in such a way that your app can keep control over it.

That's not far from:

If you are loading an app in your OS, perhaps you should load it in such a way that your OS can keep control over it.

It is possible to write an OS in which malicious programs can be run, and are unable to do anything harmful, due to reduced privileges. Most of us don't do this, even to the extent that most modern OSes allow.

Think about it -- why stop with plugins? You could run absolutely every app out there with buffer overflow protection. And then some of them would break, due to legitimately executing "data" memory natively -- Wine is one example, and I imagine it would hurt some of the faster LISP interpreters.

Or you could decide that it's not the browser's job to fix everyone else's security issues, or limit the potential of what a "plugin" can be. Apple could certainly have implemented their own "buffer overflow protection".

Now, I'm not advocating one approach over the other. I'd certainly rather live in a world where least privilege is the default (but without Vista's UAC popups); where QuickTime is written in a higher-level, managed-memory language; and where something like QuickTime can't possibly compromise more than what video it's showing you (it could show you Goatse out of spite, but not much else).

But the reality is, QuickTime wasn't written in Java, or Erlang, and probably couldn't be run with its privileges any more reduced (on Windows) without triggering UAC popups, or (on OSX) sudo popups (or just not working at all). Given all of that, I think Firefox makes a reasonably fair compromise -- plugins are separate programs. If you want "safe plugins", you could always implement them as your own plugin (like nspluginwrapper).

--
Don't thank God, thank a doctor!
The remark about engineers should read... by Anonymous Coward · 2007-11-27 13:48 · Score: 0

The engineer says that the glass is 25% larger than it needs to be when factoring in a safety margin of 1.5
Isn't this already fixed? by Anonymous Coward · 2007-11-27 15:33 · Score: 0

I just got a firefox update and there was something in the last few security fixes listed about fixing some quicktime streaming thing. Or was that a different issue?
OT MODS!! by Bill,+Shooter+of+Bul · 2007-11-27 16:36 · Score: 1

thats not a troll. If someone really wants a browser that has no security problems, but does not try to prevent security problems of its plugins, they should be using a browser without plugins, or one that is not widely distributed. This attitude led to IE's ( as well as many of Windows) security problems. When it comes to programs, They must behave as their brothers keepers. To not do so, is an act of negligence that harms the entire internet community.

--
Well.. maybe. Or Maybe not. But Definitely not sort of.
Paranoid (?) Vista/MS Opinion by Web+Goddess · 2007-11-27 17:45 · Score: 1

I read both of your referenced sources.

"Humorously, Apple still has a problem here. Vista ASLR requires a little cooperation [snip] Developers have to link their code with the flag /dynamicbase. This sets a bit in their compiled code that tells Vista it can randomize the layout of memory. Apple developers do not set that all-important flag, telling [ed note: NO!] Vista NOT to randomize their layout.

Even though Apple didn't set it, you can set that flag yourself. It's just a single bit within the DLL file. If you flip that bit, then Vista will load QuickTime in a randomized fashion. As far as we can tell, QuickTime runs just fine under Vista with the ASLR bit set.

The original location of QTOControl.dll.

QuickTime has multiple executables, all of which must be changed in this manner. We set this bit on all the DLLs, then tried the latest QuickTime exploits. As we expected, setting the flag stops the exploits from working, protecting the system.

Paranoid Wendy says, this is an exploit purposely found and publiciZed by Vista/MS.

It's actually a bug in VISTA.
1. Re:Paranoid (?) Vista/MS Opinion by Anonymous Coward · 2007-11-27 17:54 · Score: 0
  
  How is this, in any way, a bug in Vista?
Re:MOD PARENT UP by Anonymous Coward · 2007-11-27 18:03 · Score: 0

No. NX by itself cannot defend against an attack. If you mark some memory non-executable, an attacker can just do a return-to-libc attack and evade the protection. NX is one layer of security that needs to be used in conjunction with other layers like ASLR. Apple products do not take advantage of the aslr support on Vista so these attacks are still possible.

These links were posted earlier and do a good job of explainig it.
http://erratasec.blogspot.com/2007/11/new-rtsp-quicktime-flaw-affects-both.html
http://erratasec.blogspot.com/2007/11/apple-quicktime-rtsp-update.html
VLC? by JaBob · 2007-11-27 20:10 · Score: 1

Why not just use VLC?
1. Re:VLC? by Anonymous Coward · 2007-11-28 05:00 · Score: 0
  
  I use media player classic but like the other A/C I avoid quicktime content until such time as they put a less bloated and intrusive player.
What about Second Life Client ? by janrochat · 2007-11-27 21:35 · Score: 1

I tested with the Second Life Client and it seems to have the same problem see http://janrochat.wordpress.com/
Why QuickTime? by MacDork · 2007-11-28 05:16 · Score: 1

People still use quicktime?
Why? Just why?
Because it's the native format for MP4? Because I don't use Windows or have a system tray? Because it's installed by iTunes for anyone who owns an iPod? Because QuickTime Streaming server is free/open source? Because QuickTime supports everything from Karaoke to Photoshop formats? Because tons of cameras record in QuickTime movie format? ... I could really go on here... for quite a while. QuickTime does waaaaay more than movie playback.
Interestingly Enough... by hcmtnbiker · 2007-11-28 08:56 · Score: 1

failed to work properly against Internet Explorer 6/7 or Safari 3 Beta

Interestingly enough it seems that MetaSploit has already found a way to break IE6/7 and Safari 3 Beta. A little bit of the comments in their source:
# Calling Quicktime via URL kicks in an Extra Exception Handler,
# of which we have no control over.
# By making the buffer larger than the original exploit, we can overwrite
# the last exception handler, and regain control over execution.
# This is indeed an evil exploit - muhaha.

--
If i had one dollar for every brain you dont have, i would have $1.
Re:bug by Cyko_01 · 2007-11-29 10:46 · Score: 1

Code execution via QuickTime Media-link files
Re:bug by Myen · 2007-11-29 18:12 · Score: 1

No, that's a separate bug (dealing with how QuickTime decides to completely ignore the APIs, instead opting for looking up the executable and manually making up a command line). This one is QuickTime failing to handle a RTSP stream and instead crashing.