Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Susceptible To QuickTime Security Flaw

Posted by kdawson on from the exploit-available-in-the-wild dept.

Hugh Pickens writes "Apple's QuickTime media player software contains a previously undocumented security weakness in the way QuickTime handles the RTSP media-streaming protocol. The vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Symantec has tested the publicly available exploit code and found that it failed to work properly against Internet Explorer 6/7 or Safari 3 Beta but the exploit works against Firefox if users have chosen QuickTime as the default player for multimedia formats. Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control, while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur."

18 of 231 comments (clear)

  1. And this is a firefox problem... by Shoeler · · Score: 4, Insightful

    Why? I mean help me understand how it simply farming the request to an external app, where the external app has the security problem, is a firefox problem?

    1. Re:And this is a firefox problem... by Volante3192 · · Score: 4, Insightful

      Exactly...the way I'm reading this, if someone opens whatever this is straight in Quicktime it'd be vulnerable.

      Guess they want the more hits by throwing Fox into the mess though, but really, why have Mozilla fix Apple's flaws?

    2. Re:And this is a firefox problem... by aredubya74 · · Score: 5, Insightful

      It's not a Firefox problem inasmuchas a fix to Firefox itself will fix the problem. However, it's a reasonable idea to provide a heads-up to Firefox users (savvy and not-so-savvy) that a popular associated app it interacts with contains a flaw that appears to be unique to said pairing.

      Besides, this is Slashdot. Since when did the headlines make sense?

      --

      RW

    3. Re:And this is a firefox problem... by everphilski · · Score: 5, Interesting

      It isn't a firefox problem, but then again, it isn't an IE problem because Internet Explorer has some buffer overflow protection which prevents further execution.

      Glass half empty, half full type thing. Of course, Quicktime is causing the problem, but would you rather have a browser that arbitrarily trusts the plugin, or does some bounds checking?

    4. Re:And this is a firefox problem... by 99BottlesOfBeerInMyF · · Score: 4, Interesting

      Here's the deal: This is a QuickTime problem, not a Firefox problem. Apple needs to fix QuickTime. There should be nothing wrong with Firefox handing off the request to an application that's supposed to handle it correct.

      I 90% agree with you; however, I do think operating systems should handle transactions with internet applications differently than normal processes. Both Vista and Leopard and any Linux distro with SELinux enhancements has the ability to sandbox certain processes for added security. The reason this exploit does not work with IE is because runs it as a plug-in and sandboxes all of those plug-ins within IE. I'd argue that any process to which data is "handed off" by a Web browser, e-mail client, or chat client should run in a sandbox as an extra layer of protection against this common type of attack.

      Yeah, Quicktime is the culprit here and Firefox is not to blame, but I'd argue that the OS (all of them currently) is partly to blame for not sandboxing data coming into the machine via the Web.

    5. Re:And this is a firefox problem... by sm62704 · · Score: 4, Funny

      Glass half empty, half full type thing.

      The optimist says the glass is half full. The pessimist says the glass is half empty. The scientist says there is .3764666437 litres. The realist says "there's not enough". The doctor says "he's dead, Jim".

      --
      mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
    6. Re:And this is a firefox problem... by znode · · Score: 4, Funny

      The engineer says that the glass is twice as large as it needs to be.

      Jack Bauer found out where the glass was, who drank the water, and which government they worked for.

    7. Re:And this is a firefox problem... by thomas.galvin · · Score: 4, Funny

      (and for the first time ever, IE just kind of sat off to the side and shrugged it's shoulders in disinterest that it isn't affected). As opposed to all of the times IE just kind of sat off to the side and shrugged it's shoulders in disinterest even though it was affected.
      --
      Thomas Galvin
    8. Re:And this is a firefox problem... by everphilski · · Score: 4, Insightful

      The real problem here is the way Firefox handles the plugins. Or rather does not.

      IE uses a plugin interface to deal with QuickTime. As such, it has a standard framework which does some bounds checking and can find buffer overflows like this one and kill a plugin (or iexplore.exe if necessary) preventing damage.
      Firefox just passes parameters on to an external program.

      Pick your poison, you can probably make justifications for either, but to me the IE method makes more sense. It's embedded content, it should be handled as a plugin to the parent application. You are a programmer, I'm sure you are familiar with the concepts of parents and children :). I'm a programmer too ... I have to sanitize my inputs and sanitize my outputs. When I call functions that aren't mine I have to make sure that they are doing what they should be doing, not wreaking havoc on my computer, and in a sense that's exactly what this comes down to, taking responsibility for a child process.

    9. Re:And this is a firefox problem... by Benaiah · · Score: 5, Informative

      People still use quicktime?
      Why? Just why?
      Every website that has a quicktime video, I just go straight to youtube and search for the equivalent.
      This is mainly due to the fact that the quicktime plugin traditionally hasn't been able to automatically install. You have to actually go to their website and install some adware filled crap that will never leave your system tray alone.

      *bends over ready for -5 apple bashing*

  2. That does it for me... by skeftomai · · Score: 5, Funny

    Man, I'm using IE from now on. It's WAY more secure...

  3. Apple software not secure. by Anonymous Coward · · Score: 4, Insightful

    So how many of these examples do we need to demonstrate that Apple software is not secure, and is only less exploited because it's less popular?

  4. Troll -1 by dgr73 · · Score: 4, Funny

    "Quicktime bug!?! Oh sweet Joseph of Arimathea!!!! Quick, inform the users.. YES BOTH OF THEM!"

  5. Because of the end appearance by Sycraft-fu · · Score: 4, Insightful

    When you use QT in Firefox, it appears in the FF window itself, it in a very real way seems to be part of FF. We aren't talking about opening a file that ten spawns another app, we are talking about opening something embedded in a page itself. As such FF is the one that is going to get blamed. Also, one can argue, they should share some of the blame. If you are loading a plugin in your app, perhaps you should load it in such a way that your app can keep control over it. Seems that the other browsers do this.

    So while it isn't FF's responsibility to fix the specific bug, it could be an indication of how things should be done better.

  6. A bigger problem by 0123456 · · Score: 5, Insightful

    Is that there's apparently no way to simply disable a plugin in Firefox. In order to completely disable Quacktime I've had to go through various plugin directories physically deleting the files, and next time I have to update it all the bloody plugins will be back again.

    Why can't about:plugins just have a 'disable' box on each plugin? Or, better yet, a standard preferences menu list which just lets me disable them there and then?

    1. Re:A bigger problem by post.scriptum · · Score: 5, Informative

      You can disable plugins in Firefox 3.0 beta 1.

  7. Symantec is wrong... by Anonymous Coward · · Score: 4, Informative

    http://erratasec.blogspot.com/2007/11/apple-quicktime-rtsp-update.html
    http://erratasec.blogspot.com/2007/11/new-rtsp-quicktime-flaw-affects-both.html

    Standard buffer overflow protection doesn't work, Symantec was wrong. It seems that parts of Quicktime are not enabled for ASLR making these attacks possible.

  8. Quicktime is the FF plugin from hell by caitsith01 · · Score: 4, Informative

    1. Quicktime doesn't ask whether you actually want to install the browser plugin when you install the QT player

    2. You HAVE to install Quicktime if you want to use iTunes

    3. You (sort of) HAVE to install iTunes if you want to use an iPod (although I strongly recommend people consider Winamp, which has native support now, or the excellent ml_ipod plugin for Winamp)

    4. Quicktime's browser plugin commandeers associations with a whole range of media types whether you want it to or not

    5. QT doesn't give you the option of launching QT in a totally separate window - it automatically opens things embedded in the browser and starts playing them

    6. QT seems to totally screw the ability to get Firefox to go back to launching media files with the good old "Open with..." dialog box, which lets you decide whether to open it, what to open it with, or whether to save it to disk

    7. QT has absolutely no regard for what other media players and file association you might already have configured for your browser

    and I guess we can add 8, although it was already implied

    8. QT is a buggy p.o.s. with worse functionality and security than any half-decent media player including VLC, Winamp, and (in my humble opinion) even the dreaded WMP.

    All of this reflects Apple's horrible attitude to developing software for the PC, which is essentially that they will utterly ignore the now well-established conventions of the platform in terms of installation behaviour, GUI and menu structure, and plugin behaviour and just run roughshod over the whole thing. Which would probably be more acceptable if their software JUST WORKED and was as fully featured as other options on the PC - but unfortunately that is not the case.

    --
    Read Pynchon.