Unpatched QuickTime Bug Threatens Firefox - InformationWeek
IoT
IoT
Software // Enterprise Applications
News
9/13/2007
01:38 PM
50%
50%

Unpatched QuickTime Bug Threatens Firefox

A penetration tester said he posted an exploit demonstration to make a point after Apple "ignored" a QuickTime vulnerability that he discovered a year ago.

Mozilla confirmed that a year-old unpatched vulnerability in Apple's QuickTime media player opens up a backdoor that could enable a hacker to break into Firefox.

Petko D. Petkov, a penetration tester, said in a blog post that the "vulnerability can lead to a full compromise of the browser and maybe even the underlying operating system." Petkov released information about two QuickTime bugs this same month last year, but he noted that only one has been patched. The other remains a problem, especially for users of the open-source Firefox browser.

The researcher posted several proof-of-concept exploits on his blog.

"Petkov provided proof-of-concept code that may be easily converted into an exploit, so users should consider this a very serious issue," wrote Window Snyder, the top security person at Mozilla. "If Firefox is the default browser when a user plays a malicious media file handled by QuickTime, an attacker can use a vulnerability in QuickTime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in QuickTime. So far this is only reproducible on Windows."

The researcher said in his blog, Gnucitizen, that he posted a demonstration of how the bug could be used to hack into Firefox to make a point. "The first vulnerability was fixed, but the second one was completely ignored," he wrote. "I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack."

Apple issued at least three separate patch updates for QuickTime in the last several months.

QuickTime is Apple's multimedia technology for dealing with video, sound, animation, text, and music. The technology is widely used. The highly popular iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll