Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Susceptible To QuickTime Security Flaw

Posted by kdawson on from the exploit-available-in-the-wild dept.

Hugh Pickens writes "Apple's QuickTime media player software contains a previously undocumented security weakness in the way QuickTime handles the RTSP media-streaming protocol. The vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Symantec has tested the publicly available exploit code and found that it failed to work properly against Internet Explorer 6/7 or Safari 3 Beta but the exploit works against Firefox if users have chosen QuickTime as the default player for multimedia formats. Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control, while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur."

12 of 231 comments (clear)

  1. Re:What version of Firefox? Or IE? by sm62704 · · Score: 3, Informative

    Better safe than hacked.

    No, better safe than CRACKED. When someone comes up with a hack for this, the problem is fixed.

    Don't you know where you are? This is slashdot, not the wall street journal. Hacking is when you turn your transistor radio into a fuzzbox or your lawnmower into a robot. Hacking is NOT "breaking into a computer system" you silly normal person.

    -mcgrew

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  2. Re:That does it for me... by isorox · · Score: 2, Informative

    I don't know... ~12% of the market is still quite a large number of people.

    27% in europe, over 40% in some countries.

    http://www.xitimonitor.com/en-us/browsers-barometer/firefox-september-2007/index-1-2-3-110.html

  3. Symantec is wrong... by Anonymous Coward · · Score: 4, Informative

    http://erratasec.blogspot.com/2007/11/apple-quicktime-rtsp-update.html
    http://erratasec.blogspot.com/2007/11/new-rtsp-quicktime-flaw-affects-both.html

    Standard buffer overflow protection doesn't work, Symantec was wrong. It seems that parts of Quicktime are not enabled for ASLR making these attacks possible.

    1. Re:Symantec is wrong... by makomk · · Score: 2, Informative

      Someone please mod parent up. Basically, there are two aspects to this:
      1) Someone has apparently figured out a way to launch the exploit that avoids the protection works correctly in Internet Explorer
      2) QuickTime (and its libraries) are not marked to allow ALSR, which would make this much harder to exploit.

  4. Re:Apple software not secure. by Anonymous Coward · · Score: 1, Informative

    Don't want to feed the troll but your logic is complete garbage. In recent memory, I can't recall hearing about a significant amount of security exploits for quicktime - certainly not more than Windows Media Player. Let's also ignore how long it takes a software vendor to fix the original bug. But yes - let's take 1 quicktime flaw to generalize that Apple products are insecure.

  5. Re:A bigger problem by post.scriptum · · Score: 5, Informative

    You can disable plugins in Firefox 3.0 beta 1.

  6. The only thing worse... by etiam.maior · · Score: 2, Informative

    The only thing worse than QuickTime is RealPlayer. Both are asstastic pieces of shit that are NOT, under any circumstances, allowed on any of my machines.

    This is Apple's screwup in its code. Could FireFox handle it differently? Sure. But it ain't the code that they wrote that is the problem here.

    --
    Angry Network Admin
  7. Re:And this is a firefox problem... by jvkjvk · · Score: 3, Informative

    In a very narrow sense you are correct. The exploit is in Quicktime. However, in a general sense you are wrong because there are other browsers that, through their design and security models, do not allow this to happen. They shut down the offending code.

    It does not really matter that the 'actual' vulnerability is in Quicktime. Firefox is the application that controls whether this vulnerability will affect the user, since it is obvious that is it possible to have code in Firefox that stops this exploit from working.

    It is also a Firefox problem because any other plugin of this type is equally vulnerable using Firefox. From a secure coding point of view, is it your problem if you create an avenue whereby an exploit can occur? Damn straight! In this case, perhaps running the plugins in a controlled and monitored sandbox would be a good design change, instead of forking another process...

  8. Quicktime is the FF plugin from hell by caitsith01 · · Score: 4, Informative

    1. Quicktime doesn't ask whether you actually want to install the browser plugin when you install the QT player

    2. You HAVE to install Quicktime if you want to use iTunes

    3. You (sort of) HAVE to install iTunes if you want to use an iPod (although I strongly recommend people consider Winamp, which has native support now, or the excellent ml_ipod plugin for Winamp)

    4. Quicktime's browser plugin commandeers associations with a whole range of media types whether you want it to or not

    5. QT doesn't give you the option of launching QT in a totally separate window - it automatically opens things embedded in the browser and starts playing them

    6. QT seems to totally screw the ability to get Firefox to go back to launching media files with the good old "Open with..." dialog box, which lets you decide whether to open it, what to open it with, or whether to save it to disk

    7. QT has absolutely no regard for what other media players and file association you might already have configured for your browser

    and I guess we can add 8, although it was already implied

    8. QT is a buggy p.o.s. with worse functionality and security than any half-decent media player including VLC, Winamp, and (in my humble opinion) even the dreaded WMP.

    All of this reflects Apple's horrible attitude to developing software for the PC, which is essentially that they will utterly ignore the now well-established conventions of the platform in terms of installation behaviour, GUI and menu structure, and plugin behaviour and just run roughshod over the whole thing. Which would probably be more acceptable if their software JUST WORKED and was as fully featured as other options on the PC - but unfortunately that is not the case.

    --
    Read Pynchon.
  9. Re:And this is a firefox problem... by Benaiah · · Score: 5, Informative

    People still use quicktime?
    Why? Just why?
    Every website that has a quicktime video, I just go straight to youtube and search for the equivalent.
    This is mainly due to the fact that the quicktime plugin traditionally hasn't been able to automatically install. You have to actually go to their website and install some adware filled crap that will never leave your system tray alone.

    *bends over ready for -5 apple bashing*

  10. RT2FA: It's NOT a Firefox plugin issue by InvisiBill · · Score: 3, Informative

    How do so many people have a problem understanding this? It's simple:

    Non-Firefox browser: exploit fails to execute, instead protected by bounds checking

    Firefox: exploit executes unchecked

    How is that NOT a Firefox problem? If you don't use Firefox, you're immune. If you do, you're vulnerable. Even if the final cause is currently QuickTime, it's only a matter of time until some other plugin is found vulnerable and exploitable under Firefox but nowhere else.

    Besides, Firefox and IE use different plugin models. Apparently the flaw is with Firefox's plugin model - clearly a Firefox problem.

    The headline should read "Vulnerability in QuickTime. IE mitigates attacks via its QT plugin. Firefox doesn't fix problem in QT."

    Per the Symantec article, the issue as related to Firefox is not with a plugin. The article states that QuickTime is run as a plugin inside IE and Safari. The vulnerable software is run inside the browser, and thus falls under the browser's control. http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_IE.html shows this. However, in the case of Firefox, QuickTime is run as a standalone app outside the browser. See http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_FF.html. In this case, Firefox gets Item A and sees that the system is configured to handle that type of item with Program B. Therefore, Firefox hands Item A to Program B. It works exactly the same as launching the malicious file from the Run box.

    Once again, it is not a problem with Firefox's plugin system because this is not running as a Firefox plugin. Let me correct your quote. See how that makes it a little less cut and dried?

    Non-Firefox browser: exploit fails to execute inside browser plugin, instead protected by bounds checking
    Firefox: exploit executes unchecked completely outside of Firefox

    If there were a vulnerability in your email or FTP program, would you blame Firefox because it hands off mailto: and ftp: links to those external programs? Should Firefox be held responsible for malicious files (of any type - Word, MP3, .exe, etc.) that you download and then run externally? The Symantec article also mentions emailing attachments as an attack vector. Uh oh, Outlook and Thunderbird are also flawed, because they hand the file off to QuickTime to open too!

    Also, judging by the IE pic, it appears that their "buffer overrun protection" is "crashing the browser". In this case, the QT vuln is also a DoS against IE, while Firefox does not have that vulnerability.

    I agree that every program should do what it can to limit damage. However, Firefox can't do much about completely external programs. In this case, Firefox has no understanding of the data being downloaded, just that the system is configured to handle the data with a certain program. The only way to fix this is with filename/URL blacklisting so it doesn't open the bad URL (gee, that's practical) or by coding Firefox to understand every type of data it encounters. Essentially, code every other program into Firefox itself so that it can determine if the data is good or bad before handing it off (gee, that's practical). If this were a problem with a Firefox plugin, I would agree with you fully. However, it's a completely external program which Firefox has no control over, so I can't disagree more.

  11. Re:A bigger problem by Myen · · Score: 2, Informative

    Unfortunately, for this particular exploit that would have no bearing. The whole point was that Firefox couldn't use plugins for links to unknown protocols (in this case, rtsp://) and therefore launches the system default protocol handler (though I do recall there was a warning with a "don't tell me again" checkbox)

    As far as the Firefox side was concerned, there was no plugin. It's the standalone app that's being exploited.