Software // Enterprise Applications
News
9/13/2007
01:38 PM
Connect Directly
RSS
E-Mail
50%
50%

Unpatched QuickTime Bug Threatens Firefox

A penetration tester said he posted an exploit demonstration to make a point after Apple "ignored" a QuickTime vulnerability that he discovered a year ago.

Mozilla confirmed that a year-old unpatched vulnerability in Apple's QuickTime media player opens up a backdoor that could enable a hacker to break into Firefox.

Petko D. Petkov, a penetration tester, said in a blog post that the "vulnerability can lead to a full compromise of the browser and maybe even the underlying operating system." Petkov released information about two QuickTime bugs this same month last year, but he noted that only one has been patched. The other remains a problem, especially for users of the open-source Firefox browser.

The researcher posted several proof-of-concept exploits on his blog.

"Petkov provided proof-of-concept code that may be easily converted into an exploit, so users should consider this a very serious issue," wrote Window Snyder, the top security person at Mozilla. "If Firefox is the default browser when a user plays a malicious media file handled by QuickTime, an attacker can use a vulnerability in QuickTime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in QuickTime. So far this is only reproducible on Windows."

The researcher said in his blog, Gnucitizen, that he posted a demonstration of how the bug could be used to hack into Firefox to make a point. "The first vulnerability was fixed, but the second one was completely ignored," he wrote. "I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack."

Apple issued at least three separate patch updates for QuickTime in the last several months.

QuickTime is Apple's multimedia technology for dealing with video, sound, animation, text, and music. The technology is widely used. The highly popular iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.