A penetration tester said he posted an exploit demonstration to make a point after Apple "ignored" a QuickTime vulnerability that he discovered a year ago.
Mozilla confirmed that a year-old unpatched vulnerability in Apple's QuickTime media player opens up a backdoor that could enable a hacker to break into Firefox.
Petko D. Petkov, a penetration tester, said in a blog post that the "vulnerability can lead to a full compromise of the browser and maybe even the underlying operating system." Petkov released information about two QuickTime bugs this same month last year, but he noted that only one has been patched. The other remains a problem, especially for users of the open-source Firefox browser.
The researcher posted several proof-of-concept exploits on his blog.
"Petkov provided proof-of-concept code that may be easily converted into an exploit, so users should consider this a very serious issue," wrote Window Snyder, the top security person at Mozilla. "If Firefox is the default browser when a user plays a malicious media file handled by QuickTime, an attacker can use a vulnerability in QuickTime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in QuickTime. So far this is only reproducible on Windows."
The researcher said in his blog, Gnucitizen, that he posted a demonstration of how the bug could be used to hack into Firefox to make a point. "The first vulnerability was fixed, but the second one was completely ignored," he wrote. "I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack."
Apple issued at least three separate patch updates for QuickTime in the last several months.
QuickTime is Apple's multimedia technology for dealing with video, sound, animation, text, and music. The technology is widely used. The highly popular iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Top IT Trends to Watch in Financial ServicesIT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Join us for a roundup of the top stories on InformationWeek.com for the week of September 18, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."