Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Susceptible To QuickTime Security Flaw

Posted by kdawson on from the exploit-available-in-the-wild dept.

Hugh Pickens writes "Apple's QuickTime media player software contains a previously undocumented security weakness in the way QuickTime handles the RTSP media-streaming protocol. The vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Symantec has tested the publicly available exploit code and found that it failed to work properly against Internet Explorer 6/7 or Safari 3 Beta but the exploit works against Firefox if users have chosen QuickTime as the default player for multimedia formats. Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control, while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur."

4 of 231 comments (clear)

  1. Symantec is wrong... by Anonymous Coward · · Score: 4, Informative

    http://erratasec.blogspot.com/2007/11/apple-quicktime-rtsp-update.html
    http://erratasec.blogspot.com/2007/11/new-rtsp-quicktime-flaw-affects-both.html

    Standard buffer overflow protection doesn't work, Symantec was wrong. It seems that parts of Quicktime are not enabled for ASLR making these attacks possible.

  2. Re:A bigger problem by post.scriptum · · Score: 5, Informative

    You can disable plugins in Firefox 3.0 beta 1.

  3. Quicktime is the FF plugin from hell by caitsith01 · · Score: 4, Informative

    1. Quicktime doesn't ask whether you actually want to install the browser plugin when you install the QT player

    2. You HAVE to install Quicktime if you want to use iTunes

    3. You (sort of) HAVE to install iTunes if you want to use an iPod (although I strongly recommend people consider Winamp, which has native support now, or the excellent ml_ipod plugin for Winamp)

    4. Quicktime's browser plugin commandeers associations with a whole range of media types whether you want it to or not

    5. QT doesn't give you the option of launching QT in a totally separate window - it automatically opens things embedded in the browser and starts playing them

    6. QT seems to totally screw the ability to get Firefox to go back to launching media files with the good old "Open with..." dialog box, which lets you decide whether to open it, what to open it with, or whether to save it to disk

    7. QT has absolutely no regard for what other media players and file association you might already have configured for your browser

    and I guess we can add 8, although it was already implied

    8. QT is a buggy p.o.s. with worse functionality and security than any half-decent media player including VLC, Winamp, and (in my humble opinion) even the dreaded WMP.

    All of this reflects Apple's horrible attitude to developing software for the PC, which is essentially that they will utterly ignore the now well-established conventions of the platform in terms of installation behaviour, GUI and menu structure, and plugin behaviour and just run roughshod over the whole thing. Which would probably be more acceptable if their software JUST WORKED and was as fully featured as other options on the PC - but unfortunately that is not the case.

    --
    Read Pynchon.
  4. Re:And this is a firefox problem... by Benaiah · · Score: 5, Informative

    People still use quicktime?
    Why? Just why?
    Every website that has a quicktime video, I just go straight to youtube and search for the equivalent.
    This is mainly due to the fact that the quicktime plugin traditionally hasn't been able to automatically install. You have to actually go to their website and install some adware filled crap that will never leave your system tray alone.

    *bends over ready for -5 apple bashing*