Firefox plagued by unpatched QuickTime flaw

By

Mozilla on Thursday acknowledged that a year-old vulnerability in the QuickTime media player plug-in for Firefox could let a hacker break into the open-source browser.


Petko Petkov, the founder of penetration-testing organization Gnucitizen, noted in a blog posting that the "vulnerability can lead to a full compromise of the browser and maybe even the underlying operating system." Petkov added that he first released information about a pair of QuickTime bugs a year ago, but noted that only one had been fixed.

This second, still outstanding vulnerability remains an issue for Firefox users relying on the QuickTime plug-in, Apple's widely used multimedia software for handling video, sound, animation, text and music. QuickTime is also a component of the iTunes media player, which runs on PCs and Macs.

Petkov posted several proof-of-concept exploits on his blog.

The problem occurs when Firefox is set as a user's default browser and the user plays a malicious media file handled by QuickTime. The problem — so far only proven on Windows systems — can occur while browsing or opening a malicious media file directly in QuickTime.

"The first vulnerability was fixed, but the second one was completely ignored," Petkov wrote on his blog. "I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a low-risk issue can be turned into an easy-to-perform high-risk attack."

In a blog posting, Mozilla representative Window Snyder, noted, "Mozilla is working with Apple to keep our users safe . . . we are also investigating ways to mitigate this more broadly in Firefox."

Eric Schultze, the chief security architect at Shavlik Technologies, told SCMagazineUS.com that the underlying issue was a flaw in Firefox's protocol handler.

"The QuickTime plug-in for Firefox isn't properly validating all the input parameters," he said, adding that the flaw points to a lack of proper security knowledge on the part of Firefox's developers.

Schultze called the Firefox/QuickTime vulnerability just as bad as any of Microsoft's critical security flaws.

Until the Mozilla Foundation releases a fix for the flaw, he urged Firefox users with the QuickTime plug-in to either make Internet Explorer their default browser or not click on movie files. He expects a patch to be available within a week.

See original article on SC Magazine US
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
byfirefoxflawplaguedquicktimesecurityunpatched

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?