Loading ...Severe QuickTime vulnerability in Firefox disclosed
GNUCITIZEN, a “creative hacker organization”, has disclosed details on a severe security vulnerability affecting Firefox users that have installed the QuickTime plugin on Windows or Mac OS X, which at a minimum includes all iTunes users.
The vulnerability is based on QuickTime Media Link files (.qtl), simple XML files that include details about the media file to be played (like an .avi, .mov or .mp3) and other settings. However one of these parameters, qtnext, allows the publisher to specify a URL (web address) to be displayed when the media file ends. The URL could be a JavaScript instruction like those used in thousands of web pages and services currently.
To this point there is no problem. But Firefox itself is controlled through JavaScript code and libraries in an isolated environment that separates it from web pages code. The QuickTime plugin however can access the Firefox code just as any other object and manipulate it to run any application in an attacked computer.
To make things worse, the QTL files can be renamed as .mp3, .mpg, .avi or any of a couple of dozen file formats QuickTime supports and it will handle them properly, easing the scenario for possible attacks.
The test cases posted by GNUCITIZEN are really scary: click on an mp3 and the QuickTime plugin tries to load the file which doesn’t exist so it quickly completes and launches Windows Calculator. But it could be any application with any parameter.
It’s not clear to me where the responsibility lies, but QuickTime enforcing an appropriate file format naming would at least help to know when a site is serving a file that could possibly include some scripting.
On the other hand, Firefox shouldn’t allow a plugin to script its code. To aggravate things, this is the third time GNUCITIZEN discloses this same vulnerability: it was initially disclosed about a year ago and again some months later.
Given the severity of the vulnerability it needs to be fixed now.
In the meantime if you have the QuickTime plugin installed, virtually any media file could take control of your computer so I suggest disabling the plugin as soon as possible.
I guess there are more civilized ways of doing this but while we find it, just rename the plugins folder in the QuickTime install location. On Windows, by default it is C:\Program Files\QuickTime. Media files will still be associated with the plugin so clicking on media file will open a blank page, so this is just a quick protection.
Read the complete report at GNUCITIZEN.
Subscribe RSS
Subscribe email
September 12th, 2007 at 10:30 am
the link is wrong. this is the right one: http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox
and thanks for the detail description…
cheers
[Reply]
September 12th, 2007 at 11:03 am
pdp, thanks for the correction. The link is now updated.
[Reply]
September 13th, 2007 at 6:31 am
NoScript seems to stop it, so installing an extension that you all should be using anyway will greatly limit the danger (I guess it will not eliminate it, since someone could still inject a malicious file into one of your trusted websites…).
[Reply]
September 14th, 2007 at 4:17 pm
I tried one of the Gnucitizen tests. McAfee antivirus popped up a note saying it had quarantined a trojan–though, FWIW, the Gnucitizen script had already succeeded in launching the calculator.
[Reply]