Firefox Susceptible To QuickTime Security Flaw

← Back to Stories (view on slashdot.org)

Firefox Susceptible To QuickTime Security Flaw

Posted by kdawson on Tuesday November 27, 2007 @07:56AM from the exploit-available-in-the-wild dept.

Hugh Pickens writes "Apple's QuickTime media player software contains a previously undocumented security weakness in the way QuickTime handles the RTSP media-streaming protocol. The vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Symantec has tested the publicly available exploit code and found that it failed to work properly against Internet Explorer 6/7 or Safari 3 Beta but the exploit works against Firefox if users have chosen QuickTime as the default player for multimedia formats. Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control, while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur."

47 of 231 comments (clear)

And this is a firefox problem... by Shoeler · 2007-11-27 07:57 · Score: 4, Insightful

Why? I mean help me understand how it simply farming the request to an external app, where the external app has the security problem, is a firefox problem?
1. Re:And this is a firefox problem... by Volante3192 · 2007-11-27 08:01 · Score: 4, Insightful
  
  Exactly...the way I'm reading this, if someone opens whatever this is straight in Quicktime it'd be vulnerable.
  
  Guess they want the more hits by throwing Fox into the mess though, but really, why have Mozilla fix Apple's flaws?
2. Re:And this is a firefox problem... by aredubya74 · 2007-11-27 08:01 · Score: 5, Insightful
  
  It's not a Firefox problem inasmuchas a fix to Firefox itself will fix the problem. However, it's a reasonable idea to provide a heads-up to Firefox users (savvy and not-so-savvy) that a popular associated app it interacts with contains a flaw that appears to be unique to said pairing.
  
  Besides, this is Slashdot. Since when did the headlines make sense?
  
  --
  RW
3. Re:And this is a firefox problem... by everphilski · 2007-11-27 08:04 · Score: 5, Interesting
  
  It isn't a firefox problem, but then again, it isn't an IE problem because Internet Explorer has some buffer overflow protection which prevents further execution.
  
  Glass half empty, half full type thing. Of course, Quicktime is causing the problem, but would you rather have a browser that arbitrarily trusts the plugin, or does some bounds checking?
4. Re:And this is a firefox problem... by 99BottlesOfBeerInMyF · 2007-11-27 08:12 · Score: 4, Interesting
  
  Here's the deal: This is a QuickTime problem, not a Firefox problem. Apple needs to fix QuickTime. There should be nothing wrong with Firefox handing off the request to an application that's supposed to handle it correct.
  I 90% agree with you; however, I do think operating systems should handle transactions with internet applications differently than normal processes. Both Vista and Leopard and any Linux distro with SELinux enhancements has the ability to sandbox certain processes for added security. The reason this exploit does not work with IE is because runs it as a plug-in and sandboxes all of those plug-ins within IE. I'd argue that any process to which data is "handed off" by a Web browser, e-mail client, or chat client should run in a sandbox as an extra layer of protection against this common type of attack.
  
  Yeah, Quicktime is the culprit here and Firefox is not to blame, but I'd argue that the OS (all of them currently) is partly to blame for not sandboxing data coming into the machine via the Web.
5. Re:And this is a firefox problem... by Shoeler · 2007-11-27 08:14 · Score: 2, Insightful
  
  Quicktime is causing the problem, but would you rather have a browser that arbitrarily trusts the plugin, or does some bounds checking? I'd rather have a browser that focuses on making sites render most correctly, most quickly, and where only its core functions are concerns of the already burdened developers.
  
  But that's just me talkin'.
6. Re:And this is a firefox problem... by purpledinoz · 2007-11-27 08:20 · Score: 2, Insightful
  
  My solution is to not use QuickTime. What pisses me off about QT is that it puts itself in the Windows startup, eating up memory for no reason. In fact, I stopped using iTunes all together because it installs a couple of services AND QuickTime. Plus, it's such a pain in the ass when I plug in my iPod to charge, and my computer starts to kill itself loading up iTunes automatically. I use Winamp with the external ml_ipod plugin. It's much better.
7. Re:And this is a firefox problem... by sm62704 · 2007-11-27 08:23 · Score: 4, Funny
  
  Glass half empty, half full type thing.
  
  The optimist says the glass is half full. The pessimist says the glass is half empty. The scientist says there is .3764666437 litres. The realist says "there's not enough". The doctor says "he's dead, Jim".
  
  --
  mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
8. Re:And this is a firefox problem... by znode · 2007-11-27 08:35 · Score: 4, Funny
  
  The engineer says that the glass is twice as large as it needs to be.
  
  Jack Bauer found out where the glass was, who drank the water, and which government they worked for.
9. Re:And this is a firefox problem... by Shoeler · 2007-11-27 08:52 · Score: 3, Insightful
  
  Look - I'm a programmer. It may sound pedantic of me, but I believe programs should be responsible only for what they are designed to do. Clearly this means being responsive and indeed responsible for their own security. Lapses in one's own program are unavoidable but should be quickly and non-quietly fixed. It's an interesting suggestion that the paradigm needs to shift to the parent app being solely responsible for its children's security.
  
  So taking your logic further, the OS should be responsible for all of this, so it's not even Firefox's problem. ^_^ Apps should be purpose built and responsible for that purpose. If you do the blame game up the line, you'll find tremendous bloat (more so than it already is) creeping into all first-line programs and even more so to the OS. If you don't blame Microsoft and OSX (the only two platforms Quicktime runs on, IIRC) as much as Firefox, you have violated your own thinking line.
10. Re:And this is a firefox problem... by thomas.galvin · 2007-11-27 09:07 · Score: 4, Funny
  
  (and for the first time ever, IE just kind of sat off to the side and shrugged it's shoulders in disinterest that it isn't affected). As opposed to all of the times IE just kind of sat off to the side and shrugged it's shoulders in disinterest even though it was affected.
  
  --
  Thomas Galvin
11. Re:And this is a firefox problem... by Ethanol-fueled · 2007-11-27 09:51 · Score: 3, Insightful
  
  QT has become the new realplayer. iTunes sucks as well. I found it to be more counterintuitive than the godawful SonicStage for my SONY(don't laugh) mp3 player!
12. Re:And this is a firefox problem... by Bill,+Shooter+of+Bul · 2007-11-27 09:59 · Score: 2, Insightful
  
  I agree with your logic extension. If the operating system can prevent a security problem, it should as long as it can differentiate between the malicious behavior and normal application behavior. This is why such things as SELinux exist. Every part of the program in the stack should be responsible for its security and prevent any of its children from doing bad things as much as possible.
  
  --
  Well.. maybe. Or Maybe not. But Definitely not sort of.
13. Re:And this is a firefox problem... by everphilski · 2007-11-27 10:10 · Score: 4, Insightful
  
  The real problem here is the way Firefox handles the plugins. Or rather does not.
  
  IE uses a plugin interface to deal with QuickTime. As such, it has a standard framework which does some bounds checking and can find buffer overflows like this one and kill a plugin (or iexplore.exe if necessary) preventing damage.
  Firefox just passes parameters on to an external program.
  
  Pick your poison, you can probably make justifications for either, but to me the IE method makes more sense. It's embedded content, it should be handled as a plugin to the parent application. You are a programmer, I'm sure you are familiar with the concepts of parents and children :). I'm a programmer too ... I have to sanitize my inputs and sanitize my outputs. When I call functions that aren't mine I have to make sure that they are doing what they should be doing, not wreaking havoc on my computer, and in a sense that's exactly what this comes down to, taking responsibility for a child process.
14. Re:And this is a firefox problem... by jvkjvk · 2007-11-27 10:12 · Score: 3, Informative
  
  In a very narrow sense you are correct. The exploit is in Quicktime. However, in a general sense you are wrong because there are other browsers that, through their design and security models, do not allow this to happen. They shut down the offending code.
  
  It does not really matter that the 'actual' vulnerability is in Quicktime. Firefox is the application that controls whether this vulnerability will affect the user, since it is obvious that is it possible to have code in Firefox that stops this exploit from working.
  
  It is also a Firefox problem because any other plugin of this type is equally vulnerable using Firefox. From a secure coding point of view, is it your problem if you create an avenue whereby an exploit can occur? Damn straight! In this case, perhaps running the plugins in a controlled and monitored sandbox would be a good design change, instead of forking another process...
15. Re:And this is a firefox problem... by marcello_dl · 2007-11-27 10:42 · Score: 3, Insightful
  
  Uhm but let's say we have good dog IE terminating the plugin for an overflow. IE won't be able to tell if it's accidental or malware at work, so it will throw a generic error or a warning at most, and terminate. The user really wants to see "supersexy.mov" so he may be tempted to download or get it from the browser's cache (people getting pr0n likely know about the cache). Or the user got the file by email or downloaded it with a spider. This time Quicktime player is invoked and blam, user is Pwned. So either all players must do bounds checking (inefficient) or it should be the OS, not the browser, the one who babysits processes.
  
  OTOH, babysitting probably takes up more resources so a paranoid OS will slow down. But IMHO the solution is still to taint dangerous stuff (what you got just downloaded) and have the OS babysit it.
  
  --
  ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
16. Re:And this is a firefox problem... by segra · 2007-11-27 11:52 · Score: 2, Interesting
  
  This must be a windows/macos problem then! If they hadn't loaded Firefox, Firefox couldnt of loaded Quicktime!
17. Re:And this is a firefox problem... by Benaiah · 2007-11-27 12:48 · Score: 5, Informative
  
  People still use quicktime?
  Why? Just why?
  Every website that has a quicktime video, I just go straight to youtube and search for the equivalent.
  This is mainly due to the fact that the quicktime plugin traditionally hasn't been able to automatically install. You have to actually go to their website and install some adware filled crap that will never leave your system tray alone.
  
  *bends over ready for -5 apple bashing*
That does it for me... by skeftomai · 2007-11-27 08:00 · Score: 5, Funny

Man, I'm using IE from now on. It's WAY more secure...
1. Re:That does it for me... by Homology · 2007-11-27 08:15 · Score: 3, Insightful
  
  Man, I'm using IE from now on. It's WAY more secure...
  Funny that security is not touted as much as a feature anymore compared to the early Firefox releases.
2. Re:That does it for me... by isorox · 2007-11-27 09:13 · Score: 2, Informative
  
  I don't know... ~12% of the market is still quite a large number of people.
  
  27% in europe, over 40% in some countries.
  
  http://www.xitimonitor.com/en-us/browsers-barometer/firefox-september-2007/index-1-2-3-110.html
How is this a firefox problem? by rminsk · 2007-11-27 08:01 · Score: 3, Insightful

So how is this a firefox problem? Firefox spawns off another process that has a flaw and it crashes. This process is completely outside of the memory space of firefox at this point.
1. Re:How is this a firefox problem? by Anonymous Coward · 2007-11-27 08:20 · Score: 2, Interesting
  
  How do so many people have a problem understanding this? It's simple:
  
  Non-Firefox browser: exploit fails to execute, instead protected by bounds checking
  
  Firefox: exploit executes unchecked
  
  How is that NOT a Firefox problem? If you don't use Firefox, you're immune. If you do, you're vulnerable. Even if the final cause is currently QuickTime, it's only a matter of time until some other plugin is found vulnerable and exploitable under Firefox but nowhere else.
  
  Besides, Firefox and IE use different plugin models. Apparently the flaw is with Firefox's plugin model - clearly a Firefox problem.
2. Re:How is this a firefox problem? by Anonymous Coward · 2007-11-27 08:27 · Score: 2, Insightful
  
  Because it is possible to have a better security model that doesnt spawn off another process.
  
  Kind of like how on an old operating system that doesnt have seperate address spaces it isnt the OSes fault if you run a program that brings down the entire system. But there is a better OS design they could have used that would have prevented that. Same thing here, there is a better browser design that would have prevented this.
3. Re:How is this a firefox problem? by Anonymous Coward · 2007-11-27 08:42 · Score: 2, Insightful
  
  Which is exactly the problem. It should not pass untrusted files to other trusted apps. It should keep it inside it's own buffer overflow protection bubble as IE does.
  
  If this was an IE problem, you know the tagging beta would be full of 'defectivebydesign' and 'haha' remarks. But this is Firefox, so all is forgiven.
Apple software not secure. by Anonymous Coward · 2007-11-27 08:04 · Score: 4, Insightful

So how many of these examples do we need to demonstrate that Apple software is not secure, and is only less exploited because it's less popular?
1. Re:Apple software not secure. by Anonymous Coward · 2007-11-27 09:15 · Score: 2, Insightful
  
  Its more that itunes isnt opening untrusted files and connecting to untrusted servers. I guess you could consider mp3s to be untrusted, but most of them come from apple's servers so its not like you are downloading them from some random guy in russia.
Troll -1 by dgr73 · 2007-11-27 08:05 · Score: 4, Funny

"Quicktime bug!?! Oh sweet Joseph of Arimathea!!!! Quick, inform the users.. YES BOTH OF THEM!"
Because of the end appearance by Sycraft-fu · 2007-11-27 08:06 · Score: 4, Insightful

When you use QT in Firefox, it appears in the FF window itself, it in a very real way seems to be part of FF. We aren't talking about opening a file that ten spawns another app, we are talking about opening something embedded in a page itself. As such FF is the one that is going to get blamed. Also, one can argue, they should share some of the blame. If you are loading a plugin in your app, perhaps you should load it in such a way that your app can keep control over it. Seems that the other browsers do this.

So while it isn't FF's responsibility to fix the specific bug, it could be an indication of how things should be done better.
MOD Parent Funnt by Bryansix · 2007-11-27 08:10 · Score: 2, Insightful

Cause that is what his post is.
Re:Safety through laziness. by njfuzzy · 2007-11-27 08:16 · Score: 2, Insightful

If you have a Mac, then you have QuickTime. If you have iTunes, then you have QuickTime. That may not apply to you, but its fair to say it covers a huge chunk of marketplace overall. (I believe people who download Safari 3 Beta for Windows, and Bonjour for Windows, also have QuickTime by default, but they are bound to be a very small group.)

--
My Photography - http://ian-x.com
The Deathlings (comic) - http://thedeathlings.com
Re:What version of Firefox? Or IE? by sm62704 · 2007-11-27 08:31 · Score: 3, Informative

Better safe than hacked.

No, better safe than CRACKED. When someone comes up with a hack for this, the problem is fixed.

Don't you know where you are? This is slashdot, not the wall street journal. Hacking is when you turn your transistor radio into a fuzzbox or your lawnmower into a robot. Hacking is NOT "breaking into a computer system" you silly normal person.

-mcgrew

--
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
Design for maliciousness by PhxBlue · 2007-11-27 08:34 · Score: 3, Insightful

Software should be pessimistic. Design the code to handle incoming requests as potentially malicious, and you'll never be disappointed.

--
!#@%*)anks for hanging up the phone, dear.
Phew by lluBdeR · 2007-11-27 08:39 · Score: 2, Insightful

Man am I glad my system seems to deal with this problem proactively: The Quicktime plugin crashes anything that contains it almost as soon as it's drawn!

Thank you Apple for protecting me from, well, Apple!
A bigger problem by 0123456 · 2007-11-27 08:59 · Score: 5, Insightful

Is that there's apparently no way to simply disable a plugin in Firefox. In order to completely disable Quacktime I've had to go through various plugin directories physically deleting the files, and next time I have to update it all the bloody plugins will be back again.

Why can't about:plugins just have a 'disable' box on each plugin? Or, better yet, a standard preferences menu list which just lets me disable them there and then?
1. Re:A bigger problem by post.scriptum · 2007-11-27 09:30 · Score: 5, Informative
  
  You can disable plugins in Firefox 3.0 beta 1.
2. Re:A bigger problem by Myen · 2007-11-27 18:57 · Score: 2, Informative
  
  Unfortunately, for this particular exploit that would have no bearing. The whole point was that Firefox couldn't use plugins for links to unknown protocols (in this case, rtsp://) and therefore launches the system default protocol handler (though I do recall there was a warning with a "don't tell me again" checkbox)
  
  As far as the Firefox side was concerned, there was no plugin. It's the standalone app that's being exploited.
Symantec is wrong... by Anonymous Coward · 2007-11-27 09:16 · Score: 4, Informative

http://erratasec.blogspot.com/2007/11/apple-quicktime-rtsp-update.html
http://erratasec.blogspot.com/2007/11/new-rtsp-quicktime-flaw-affects-both.html

Standard buffer overflow protection doesn't work, Symantec was wrong. It seems that parts of Quicktime are not enabled for ASLR making these attacks possible.
1. Re:Symantec is wrong... by makomk · 2007-11-27 09:43 · Score: 2, Informative
  
  Someone please mod parent up. Basically, there are two aspects to this:
  1) Someone has apparently figured out a way to launch the exploit that avoids the protection works correctly in Internet Explorer
  2) QuickTime (and its libraries) are not marked to allow ALSR, which would make this much harder to exploit.
Website's fault by nbucking · 2007-11-27 09:19 · Score: 2, Insightful

This problem's principle fault lies with Apple. But it seems that they are sitting on their asses because it seems to be a problem that has been around for awhile. So those websites that use quicktime should use flash player, media player, or realplayer. Heck I have gotten video lan to take care of them all but those who do not want the trouble should blame the stupid websites. As far as I am concerned about firefox not handling apple's screwup as well as the other browsers it is scary. Yet if quicktime is broken then even if you use the other browsers then it simply does not matter, you still have DoS.
The only thing worse... by etiam.maior · 2007-11-27 09:31 · Score: 2, Informative

The only thing worse than QuickTime is RealPlayer. Both are asstastic pieces of shit that are NOT, under any circumstances, allowed on any of my machines.

This is Apple's screwup in its code. Could FireFox handle it differently? Sure. But it ain't the code that they wrote that is the problem here.

--
Angry Network Admin
Re:Quicktime - default??? by 47Ronin · 2007-11-27 10:17 · Score: 2, Insightful

Of course. It comes with my Mac. It works well. I have the Perian, Divx, and Flip4Mac plugins so I can handle pretty much any codec, including FLV so I'm quite happy. It will also export pretty much anything. FAQ about QuickTime

--
Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
Firefox already patched by Cyko_01 · 2007-11-27 11:12 · Score: 3, Interesting

if you are using 2.0.0.10 or later then you should already be protected against this exploit. THAT is why firefox is still the best browser available
1. Re:Firefox already patched by Myen · 2007-11-27 19:02 · Score: 2, Interesting
  
  Really? it doesn't seem to be listed. Got a bugzilla bug #?
Quicktime is the FF plugin from hell by caitsith01 · 2007-11-27 11:46 · Score: 4, Informative

1. Quicktime doesn't ask whether you actually want to install the browser plugin when you install the QT player

2. You HAVE to install Quicktime if you want to use iTunes

3. You (sort of) HAVE to install iTunes if you want to use an iPod (although I strongly recommend people consider Winamp, which has native support now, or the excellent ml_ipod plugin for Winamp)

4. Quicktime's browser plugin commandeers associations with a whole range of media types whether you want it to or not

5. QT doesn't give you the option of launching QT in a totally separate window - it automatically opens things embedded in the browser and starts playing them

6. QT seems to totally screw the ability to get Firefox to go back to launching media files with the good old "Open with..." dialog box, which lets you decide whether to open it, what to open it with, or whether to save it to disk

7. QT has absolutely no regard for what other media players and file association you might already have configured for your browser

and I guess we can add 8, although it was already implied

8. QT is a buggy p.o.s. with worse functionality and security than any half-decent media player including VLC, Winamp, and (in my humble opinion) even the dreaded WMP.

All of this reflects Apple's horrible attitude to developing software for the PC, which is essentially that they will utterly ignore the now well-established conventions of the platform in terms of installation behaviour, GUI and menu structure, and plugin behaviour and just run roughshod over the whole thing. Which would probably be more acceptable if their software JUST WORKED and was as fully featured as other options on the PC - but unfortunately that is not the case.

--
Read Pynchon.
1. Re:Quicktime is the FF plugin from hell by caitsith01 · 2007-11-27 16:45 · Score: 2, Insightful
  
  Yeah, that is annoying. They toyed around with the idea of making Quicktime optional, but they didn't like the idea of iTunes not being able to do kind of important stuff once it's installed like, I dunno... play music?
  
  Weird huh?
  
  Yeah, because without Quicktime installed in Windows it is simply not possible to do kind of important stuff like, I dunno... play music, is it?
  
  Microsoft better make it part of the default Windows install pronto to give millions of users worldwide the ability to actually play music for the first time ever.
  
  Of course, that old version of iTunes which didn't require Quicktime and didn't play music was a bit pointless, too.
  
  --
  Read Pynchon.
RT2FA: It's NOT a Firefox plugin issue by InvisiBill · 2007-11-27 13:15 · Score: 3, Informative

How do so many people have a problem understanding this? It's simple:

Non-Firefox browser: exploit fails to execute, instead protected by bounds checking

Firefox: exploit executes unchecked

How is that NOT a Firefox problem? If you don't use Firefox, you're immune. If you do, you're vulnerable. Even if the final cause is currently QuickTime, it's only a matter of time until some other plugin is found vulnerable and exploitable under Firefox but nowhere else.

Besides, Firefox and IE use different plugin models. Apparently the flaw is with Firefox's plugin model - clearly a Firefox problem.
The headline should read "Vulnerability in QuickTime. IE mitigates attacks via its QT plugin. Firefox doesn't fix problem in QT."

Per the Symantec article, the issue as related to Firefox is not with a plugin. The article states that QuickTime is run as a plugin inside IE and Safari. The vulnerable software is run inside the browser, and thus falls under the browser's control. http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_IE.html shows this. However, in the case of Firefox, QuickTime is run as a standalone app outside the browser. See http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_FF.html. In this case, Firefox gets Item A and sees that the system is configured to handle that type of item with Program B. Therefore, Firefox hands Item A to Program B. It works exactly the same as launching the malicious file from the Run box.

Once again, it is not a problem with Firefox's plugin system because this is not running as a Firefox plugin. Let me correct your quote. See how that makes it a little less cut and dried?
Non-Firefox browser: exploit fails to execute inside browser plugin, instead protected by bounds checking
Firefox: exploit executes unchecked completely outside of Firefox

If there were a vulnerability in your email or FTP program, would you blame Firefox because it hands off mailto: and ftp: links to those external programs? Should Firefox be held responsible for malicious files (of any type - Word, MP3, .exe, etc.) that you download and then run externally? The Symantec article also mentions emailing attachments as an attack vector. Uh oh, Outlook and Thunderbird are also flawed, because they hand the file off to QuickTime to open too!

Also, judging by the IE pic, it appears that their "buffer overrun protection" is "crashing the browser". In this case, the QT vuln is also a DoS against IE, while Firefox does not have that vulnerability.

I agree that every program should do what it can to limit damage. However, Firefox can't do much about completely external programs. In this case, Firefox has no understanding of the data being downloaded, just that the system is configured to handle the data with a certain program. The only way to fix this is with filename/URL blacklisting so it doesn't open the bad URL (gee, that's practical) or by coding Firefox to understand every type of data it encounters. Essentially, code every other program into Firefox itself so that it can determine if the data is good or bad before handing it off (gee, that's practical). If this were a problem with a Firefox plugin, I would agree with you fully. However, it's a completely external program which Firefox has no control over, so I can't disagree more.