After Hours

QuickTime and Firefox combine for insecurity

A vulnerability in Apple Software's QuickTime media player can be exploited to execute remote javascript code, or by tapping into Firefox's chrome engine can execute remote code of any kind.

A vulnerability in Apple Software's QuickTime media player can be exploited to execute remote javascript code, or by tapping into Firefox's chrome engine can execute remote code of any kind. This vulnerability has been described as being similiar to the QuickTime vulnerability that was behind the automated MySpace worm attack late last year.

The vulnerability involves a flaw in the way QuickTime loads its QTL format — XML files which contain links to audio or video media and meta-data as if they were the actual file. Javascript can be inserted into attributes in the XML file which are automatically run when the file is opened. Since QuickTime allows these files to be used transparently where you would use media files, exploits may infect any audio or video format QuickTime can run, including mp3, mpg, avi and png. The blog post publishing the vulnerability has a list of 42 affected file extensions.

The flaw was discovered by a London security researcher Petko D. Petkovand posted on his blog gnucitizen. The same vulnerability had previously been divulged on the blog as early as December last year, but has not as yet been addressed. "So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack." Petkov wrote.

While the proof of concept published on the site effects Mozilla's chrome engine, the QuickTime flaw is cross browser, affecting versions of Internet Explorer too. "It works for IE as well, although the impact is less critical I must say. This is due to the tightened security policies IE implements for local zone scripts." Petkov responded in a comment.

Another researcher quickly pointed out on his blog that web surfers using the NoScript plugin for Firefox are protected from the chrome vulnerability allowing remote code execution, even if they have the originating site in their list of allowed domains.

The blog post publishing the flaw can be found here, however we advise you do not run any files contained within the post, as they are examples of exploiting the flaw.

Editor's Picks

Free Newsletters, In your Inbox