Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Susceptible To QuickTime Security Flaw

Posted by kdawson on from the exploit-available-in-the-wild dept.

Hugh Pickens writes "Apple's QuickTime media player software contains a previously undocumented security weakness in the way QuickTime handles the RTSP media-streaming protocol. The vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Symantec has tested the publicly available exploit code and found that it failed to work properly against Internet Explorer 6/7 or Safari 3 Beta but the exploit works against Firefox if users have chosen QuickTime as the default player for multimedia formats. Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control, while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur."

6 of 231 comments (clear)

  1. That does it for me... by skeftomai · · Score: 5, Funny

    Man, I'm using IE from now on. It's WAY more secure...

  2. Re:And this is a firefox problem... by aredubya74 · · Score: 5, Insightful

    It's not a Firefox problem inasmuchas a fix to Firefox itself will fix the problem. However, it's a reasonable idea to provide a heads-up to Firefox users (savvy and not-so-savvy) that a popular associated app it interacts with contains a flaw that appears to be unique to said pairing.

    Besides, this is Slashdot. Since when did the headlines make sense?

    --

    RW

  3. Re:And this is a firefox problem... by everphilski · · Score: 5, Interesting

    It isn't a firefox problem, but then again, it isn't an IE problem because Internet Explorer has some buffer overflow protection which prevents further execution.

    Glass half empty, half full type thing. Of course, Quicktime is causing the problem, but would you rather have a browser that arbitrarily trusts the plugin, or does some bounds checking?

  4. A bigger problem by 0123456 · · Score: 5, Insightful

    Is that there's apparently no way to simply disable a plugin in Firefox. In order to completely disable Quacktime I've had to go through various plugin directories physically deleting the files, and next time I have to update it all the bloody plugins will be back again.

    Why can't about:plugins just have a 'disable' box on each plugin? Or, better yet, a standard preferences menu list which just lets me disable them there and then?

    1. Re:A bigger problem by post.scriptum · · Score: 5, Informative

      You can disable plugins in Firefox 3.0 beta 1.

  5. Re:And this is a firefox problem... by Benaiah · · Score: 5, Informative

    People still use quicktime?
    Why? Just why?
    Every website that has a quicktime video, I just go straight to youtube and search for the equivalent.
    This is mainly due to the fact that the quicktime plugin traditionally hasn't been able to automatically install. You have to actually go to their website and install some adware filled crap that will never leave your system tray alone.

    *bends over ready for -5 apple bashing*