Slashdot Mirror
Firefox Susceptible To QuickTime Security Flaw
Hugh Pickens writes "Apple's QuickTime media player software contains a previously undocumented security weakness in the way QuickTime handles the RTSP media-streaming protocol. The vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Symantec has tested the publicly available exploit code and found that it failed to work properly against Internet Explorer 6/7 or Safari 3 Beta but the exploit works against Firefox if users have chosen QuickTime as the default player for multimedia formats. Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control, while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur."
It isn't a firefox problem, but then again, it isn't an IE problem because Internet Explorer has some buffer overflow protection which prevents further execution.
Glass half empty, half full type thing. Of course, Quicktime is causing the problem, but would you rather have a browser that arbitrarily trusts the plugin, or does some bounds checking?
I 90% agree with you; however, I do think operating systems should handle transactions with internet applications differently than normal processes. Both Vista and Leopard and any Linux distro with SELinux enhancements has the ability to sandbox certain processes for added security. The reason this exploit does not work with IE is because runs it as a plug-in and sandboxes all of those plug-ins within IE. I'd argue that any process to which data is "handed off" by a Web browser, e-mail client, or chat client should run in a sandbox as an extra layer of protection against this common type of attack.
Yeah, Quicktime is the culprit here and Firefox is not to blame, but I'd argue that the OS (all of them currently) is partly to blame for not sandboxing data coming into the machine via the Web.
How do so many people have a problem understanding this? It's simple:
Non-Firefox browser: exploit fails to execute, instead protected by bounds checking
Firefox: exploit executes unchecked
How is that NOT a Firefox problem? If you don't use Firefox, you're immune. If you do, you're vulnerable. Even if the final cause is currently QuickTime, it's only a matter of time until some other plugin is found vulnerable and exploitable under Firefox but nowhere else.
Besides, Firefox and IE use different plugin models. Apparently the flaw is with Firefox's plugin model - clearly a Firefox problem.
So what you are saying, fundamentally, is that it's actually Windows which is to blame as it allows passes untrusted files from the Internet to Firefox.
Shame on you Microsoft - defectivebydesign'
Not necessarily. NX makes some exploits harder, but only really starts becoming a major obstacle in conjunction with randomised address space and stack canaries. Even with all that, some overflows are still exploitable.
if you are using 2.0.0.10 or later then you should already be protected against this exploit. THAT is why firefox is still the best browser available
This must be a windows/macos problem then! If they hadn't loaded Firefox, Firefox couldnt of loaded Quicktime!