QuickTime Vulnerability

From Mozilla Links

GNUCITIZEN, a “creative hacker organization”, has disclosed details on a severe security vulnerability affecting Firefox users that have installed the QuickTime plugin on Windows or Mac OS X, which at a minimum includes all iTunes users.

The vulnerability is based on QuickTime Media Link files (.qtl), simple XML files that include details about the media file to be played (like an .avi, .mov or .mp3) and other settings. However one of these parameters, qtnext, allows the publisher to specify a URL (web address) to be displayed when the media file ends. The URL could be a JavaScript instruction like those used in thousands of web pages and services currently.

To this point there is no problem. But Firefox itself is controlled through JavaScript code and libraries in an isolated environment that separates it from web pages code. The QuickTime plugin however can access the Firefox code just as any other object and manipulate it to run any application in an attacked computer.

To make things worse, the QTL files can be renamed as .mp3, .mpg, .avi or any of a couple of dozen file formats QuickTime supports and it will handle them properly, easing the scenario for possible attacks.

The test cases posted by GNUCITIZEN are really scary: click on an mp3 and the QuickTime plugin tries to load the file which doesn’t exist so it quickly completes and launches Windows Calculator. But it could be any application with any parameter.

The article goes on to recommend the removal of QuickTime from your system. However for me that is not something I really want to do. Oddly enough I do use QuickTime quite frequently. A blog I frequent uses QuickTime videos and my internet based answering service uses QuickTime for the messages (although I could choose to download them as MP3). Further it is important to understand that is a QuickTime issue and it is NOT just isolated to Firefox and Windows. It also affects IE (but not as severely) and even the immortal Macs.

While bug 395942 was caught early enough that it could be patched in Firefox 2.0.0.7, what is one suppose to do in the mean time? You can go thru the process of removing QuickTime wait for new versions of Firefox and QuickTime and then reinstall. But there is a batter option, thanks to our friends on the CyberNet Forum. Turns out the NoScript extension will protect your from this vulnerability.

News Sources:

  • CyberNet Forum
  • Mozilla Links [1, 2]