Mozilla confirmed that a year-old unpatched vulnerability in Apple's QuickTime media player opens up a backdoor that could enable a hacker to break into Firefox.
Petko D. Petkov, a penetration tester, said in a blog post that the "vulnerability can lead to a full compromise of the browser and maybe even the underlying operating system." Petkov released information about two QuickTime bugs this same month last year, but he noted that only one has been patched. The other remains a problem, especially for users of the open-source Firefox browser.
The researcher posted several proof-of-concept exploits on his blog.
"Petkov provided proof-of-concept code that may be easily converted into an exploit, so users should consider this a very serious issue," wrote Window Snyder, the top security person at Mozilla. "If Firefox is the default browser when a user plays a malicious media file handled by QuickTime, an attacker can use a vulnerability in QuickTime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in QuickTime. So far this is only reproducible on Windows."
The researcher said in his blog, Gnucitizen, that he posted a demonstration of how the bug could be used to hack into Firefox to make a point. "The first vulnerability was fixed, but the second one was completely ignored," he wrote. "I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack."
Apple issued at least three separate patch updates for QuickTime in the last several months.
QuickTime is Apple's multimedia technology for dealing with video, sound, animation, text, and music. The technology is widely used. The highly popular iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.