Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Susceptible To QuickTime Security Flaw

Posted by kdawson on from the exploit-available-in-the-wild dept.

Hugh Pickens writes "Apple's QuickTime media player software contains a previously undocumented security weakness in the way QuickTime handles the RTSP media-streaming protocol. The vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Symantec has tested the publicly available exploit code and found that it failed to work properly against Internet Explorer 6/7 or Safari 3 Beta but the exploit works against Firefox if users have chosen QuickTime as the default player for multimedia formats. Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control, while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur."

13 of 231 comments (clear)

  1. And this is a firefox problem... by Shoeler · · Score: 4, Insightful

    Why? I mean help me understand how it simply farming the request to an external app, where the external app has the security problem, is a firefox problem?

    1. Re:And this is a firefox problem... by Volante3192 · · Score: 4, Insightful

      Exactly...the way I'm reading this, if someone opens whatever this is straight in Quicktime it'd be vulnerable.

      Guess they want the more hits by throwing Fox into the mess though, but really, why have Mozilla fix Apple's flaws?

    2. Re:And this is a firefox problem... by aredubya74 · · Score: 5, Insightful

      It's not a Firefox problem inasmuchas a fix to Firefox itself will fix the problem. However, it's a reasonable idea to provide a heads-up to Firefox users (savvy and not-so-savvy) that a popular associated app it interacts with contains a flaw that appears to be unique to said pairing.

      Besides, this is Slashdot. Since when did the headlines make sense?

      --

      RW

    3. Re:And this is a firefox problem... by Shoeler · · Score: 3, Insightful

      Look - I'm a programmer. It may sound pedantic of me, but I believe programs should be responsible only for what they are designed to do. Clearly this means being responsive and indeed responsible for their own security. Lapses in one's own program are unavoidable but should be quickly and non-quietly fixed. It's an interesting suggestion that the paradigm needs to shift to the parent app being solely responsible for its children's security.

      So taking your logic further, the OS should be responsible for all of this, so it's not even Firefox's problem. ^_^ Apps should be purpose built and responsible for that purpose. If you do the blame game up the line, you'll find tremendous bloat (more so than it already is) creeping into all first-line programs and even more so to the OS. If you don't blame Microsoft and OSX (the only two platforms Quicktime runs on, IIRC) as much as Firefox, you have violated your own thinking line.

    4. Re:And this is a firefox problem... by Ethanol-fueled · · Score: 3, Insightful

      QT has become the new realplayer. iTunes sucks as well. I found it to be more counterintuitive than the godawful SonicStage for my SONY(don't laugh) mp3 player!

    5. Re:And this is a firefox problem... by everphilski · · Score: 4, Insightful

      The real problem here is the way Firefox handles the plugins. Or rather does not.

      IE uses a plugin interface to deal with QuickTime. As such, it has a standard framework which does some bounds checking and can find buffer overflows like this one and kill a plugin (or iexplore.exe if necessary) preventing damage.
      Firefox just passes parameters on to an external program.

      Pick your poison, you can probably make justifications for either, but to me the IE method makes more sense. It's embedded content, it should be handled as a plugin to the parent application. You are a programmer, I'm sure you are familiar with the concepts of parents and children :). I'm a programmer too ... I have to sanitize my inputs and sanitize my outputs. When I call functions that aren't mine I have to make sure that they are doing what they should be doing, not wreaking havoc on my computer, and in a sense that's exactly what this comes down to, taking responsibility for a child process.

    6. Re:And this is a firefox problem... by marcello_dl · · Score: 3, Insightful

      Uhm but let's say we have good dog IE terminating the plugin for an overflow. IE won't be able to tell if it's accidental or malware at work, so it will throw a generic error or a warning at most, and terminate. The user really wants to see "supersexy.mov" so he may be tempted to download or get it from the browser's cache (people getting pr0n likely know about the cache). Or the user got the file by email or downloaded it with a spider. This time Quicktime player is invoked and blam, user is Pwned. So either all players must do bounds checking (inefficient) or it should be the OS, not the browser, the one who babysits processes.

      OTOH, babysitting probably takes up more resources so a paranoid OS will slow down. But IMHO the solution is still to taint dangerous stuff (what you got just downloaded) and have the OS babysit it.

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  2. How is this a firefox problem? by rminsk · · Score: 3, Insightful

    So how is this a firefox problem? Firefox spawns off another process that has a flaw and it crashes. This process is completely outside of the memory space of firefox at this point.

  3. Apple software not secure. by Anonymous Coward · · Score: 4, Insightful

    So how many of these examples do we need to demonstrate that Apple software is not secure, and is only less exploited because it's less popular?

  4. Because of the end appearance by Sycraft-fu · · Score: 4, Insightful

    When you use QT in Firefox, it appears in the FF window itself, it in a very real way seems to be part of FF. We aren't talking about opening a file that ten spawns another app, we are talking about opening something embedded in a page itself. As such FF is the one that is going to get blamed. Also, one can argue, they should share some of the blame. If you are loading a plugin in your app, perhaps you should load it in such a way that your app can keep control over it. Seems that the other browsers do this.

    So while it isn't FF's responsibility to fix the specific bug, it could be an indication of how things should be done better.

  5. Re:That does it for me... by Homology · · Score: 3, Insightful

    Man, I'm using IE from now on. It's WAY more secure...

    Funny that security is not touted as much as a feature anymore compared to the early Firefox releases.

  6. Design for maliciousness by PhxBlue · · Score: 3, Insightful

    Software should be pessimistic. Design the code to handle incoming requests as potentially malicious, and you'll never be disappointed.

    --
    !#@%*)anks for hanging up the phone, dear.
  7. A bigger problem by 0123456 · · Score: 5, Insightful

    Is that there's apparently no way to simply disable a plugin in Firefox. In order to completely disable Quacktime I've had to go through various plugin directories physically deleting the files, and next time I have to update it all the bloody plugins will be back again.

    Why can't about:plugins just have a 'disable' box on each plugin? Or, better yet, a standard preferences menu list which just lets me disable them there and then?