Forgot your password?
typodupeerror
Security Mozilla The Internet

Firefox Susceptible To QuickTime Security Flaw 231

Posted by kdawson
from the exploit-available-in-the-wild dept.
Hugh Pickens writes "Apple's QuickTime media player software contains a previously undocumented security weakness in the way QuickTime handles the RTSP media-streaming protocol. The vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Symantec has tested the publicly available exploit code and found that it failed to work properly against Internet Explorer 6/7 or Safari 3 Beta but the exploit works against Firefox if users have chosen QuickTime as the default player for multimedia formats. Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control, while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur."
This discussion has been archived. No new comments can be posted.

Firefox Susceptible To QuickTime Security Flaw

Comments Filter:
  • by Shoeler (180797) * on Tuesday November 27, 2007 @03:57PM (#21496135)
    Why? I mean help me understand how it simply farming the request to an external app, where the external app has the security problem, is a firefox problem?
    • by Volante3192 (953645) on Tuesday November 27, 2007 @04:01PM (#21496177)
      Exactly...the way I'm reading this, if someone opens whatever this is straight in Quicktime it'd be vulnerable.

      Guess they want the more hits by throwing Fox into the mess though, but really, why have Mozilla fix Apple's flaws?
      • by Benaiah (851593) on Tuesday November 27, 2007 @08:48PM (#21499615)
        People still use quicktime?
        Why? Just why?
        Every website that has a quicktime video, I just go straight to youtube and search for the equivalent.
        This is mainly due to the fact that the quicktime plugin traditionally hasn't been able to automatically install. You have to actually go to their website and install some adware filled crap that will never leave your system tray alone.

        *bends over ready for -5 apple bashing*
    • by aredubya74 (266988) on Tuesday November 27, 2007 @04:01PM (#21496179)
      It's not a Firefox problem inasmuchas a fix to Firefox itself will fix the problem. However, it's a reasonable idea to provide a heads-up to Firefox users (savvy and not-so-savvy) that a popular associated app it interacts with contains a flaw that appears to be unique to said pairing.

      Besides, this is Slashdot. Since when did the headlines make sense?
      • by Trails (629752)
        A fix implies a problem. I would challenge the notion that it's up to any one app to manage another's buffers, unless that is the application's specific and express intent.

        Further, a fix to FF will NOT fix the problem (the exploit will still exist in QT), it will only fix it if FF acts as a container for plugins, something that's caused no end of pain from IE.
        • A fix implies a problem. I would challenge the notion that it's up to any one app to manage another's buffers, unless that is the application's specific and express intent.

          Further, a fix to FF will NOT fix the problem (the exploit will still exist in QT), it will only fix it if FF acts as a container for plugins, something that's caused no end of pain from IE.

          I agree. Lets just hope that Apple doesn't turn around and blame Mozilla like Mozilla Corp. did to Microsoft when they had a similar problem [secunia.com].

    • I don't know. But IE gets blamed for similar sorts of situations as well (but not this particular instance).
      • Yes, but if an IE flaw allows Windows Media Player to execute a DirectX DLL that runs a Visual Basic script, then it's probably Microsoft's problem.
    • by everphilski (877346) on Tuesday November 27, 2007 @04:04PM (#21496243) Journal
      It isn't a firefox problem, but then again, it isn't an IE problem because Internet Explorer has some buffer overflow protection which prevents further execution.

      Glass half empty, half full type thing. Of course, Quicktime is causing the problem, but would you rather have a browser that arbitrarily trusts the plugin, or does some bounds checking?
      • Re: (Score:2, Insightful)

        by Shoeler (180797) *

        Quicktime is causing the problem, but would you rather have a browser that arbitrarily trusts the plugin, or does some bounds checking?
        I'd rather have a browser that focuses on making sites render most correctly, most quickly, and where only its core functions are concerns of the already burdened developers.

        But that's just me talkin'.
      • by pembo13 (770295)
        Well if you volunteering installed the plugin, I just assumed the browser would trust it. Interesting to find out otherwise. Does that mean the Quicktime plugin could take IE down with it in a crash?
        • by empaler (130732)
          Isn't it the other way around?
          I've had QT crash my Ffx dozens of times, but never any problems with QT crashing IE. Which seems backward to me...
      • by sm62704 (957197) on Tuesday November 27, 2007 @04:23PM (#21496503) Journal
        Glass half empty, half full type thing.

        The optimist says the glass is half full. The pessimist says the glass is half empty. The scientist says there is .3764666437 litres. The realist says "there's not enough". The doctor says "he's dead, Jim".
        • by znode (647753) * <znode@gmCOMMAx.de minus punct> on Tuesday November 27, 2007 @04:35PM (#21496681) Homepage
          The engineer says that the glass is twice as large as it needs to be.

          Jack Bauer found out where the glass was, who drank the water, and which government they worked for.
          • by Duhavid (677874)
            Hopefully they picked the "good package" and not the "big gun".
          • by oskard (715652)
            Chuck Norris round-house kicked every living soul who ever pondered over the glass.
          • by Jesus_666 (702802)
            Jack Bauer found out where the glass was, who drank the water, and which government they worked for.

            Miami's CSI team is still busy determining the water's pH level, checking the glass for DNA samples, upsampling a security recording of the glass to full HD quality, walking around in slow motion and taking off their sunglasses while making painfully dramatic remarks.

            Reults are expected in about two days, just in time to stop the half-emptyer from half-emptying another glass of water. And probably shoot h
        • by dubbreak (623656)

          The scientist says there is .3764666437 litres.

          I say you have big glasses! I've been looking for something to hold an entire bottle of la fin du monde [unibroue.com], yours sounds like it could even fit some head!
      • by marcello_dl (667940) on Tuesday November 27, 2007 @06:42PM (#21498343) Homepage Journal
        Uhm but let's say we have good dog IE terminating the plugin for an overflow. IE won't be able to tell if it's accidental or malware at work, so it will throw a generic error or a warning at most, and terminate. The user really wants to see "supersexy.mov" so he may be tempted to download or get it from the browser's cache (people getting pr0n likely know about the cache). Or the user got the file by email or downloaded it with a spider. This time Quicktime player is invoked and blam, user is Pwned. So either all players must do bounds checking (inefficient) or it should be the OS, not the browser, the one who babysits processes.

        OTOH, babysitting probably takes up more resources so a paranoid OS will slow down. But IMHO the solution is still to taint dangerous stuff (what you got just downloaded) and have the OS babysit it.
    • by Sycraft-fu (314770) on Tuesday November 27, 2007 @04:06PM (#21496273)
      When you use QT in Firefox, it appears in the FF window itself, it in a very real way seems to be part of FF. We aren't talking about opening a file that ten spawns another app, we are talking about opening something embedded in a page itself. As such FF is the one that is going to get blamed. Also, one can argue, they should share some of the blame. If you are loading a plugin in your app, perhaps you should load it in such a way that your app can keep control over it. Seems that the other browsers do this.

      So while it isn't FF's responsibility to fix the specific bug, it could be an indication of how things should be done better.
      • When you use QT in Firefox, it appears in the FF window itself, it in a very real way seems to be part of FF. We aren't talking about opening a file that ten spawns another app, we are talking about opening something embedded in a page itself. As such FF is the one that is going to get blamed. Also, one can argue, they should share some of the blame. If you are loading a plugin in your app, perhaps you should load it in such a way that your app can keep control over it. Seems that the other browsers do this.

        So while it isn't FF's responsibility to fix the specific bug, it could be an indication of how things should be done better.

        No, the testing done in the article was not embedded inside the Firefox window. It did indeed spawn a completely separate app. http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_FF.html [symantec.com]

        Apples and oranges here. The plugin inside IE is protected via IE's features. The standalone app outside Firefox, as expected, is not protected by any features of Firefox.

        I don't know why it's run as a standalone app rather than as a plugin inside Firefox. Perhaps they didn't install t

        • by Almahtar (991773)

          I don't know why it's run as a standalone app rather than as a plugin inside Firefox.
          It's run in a separate process so if a plugin crashes your FireFox process won't get halted by the OS for a seg fault or whatever. This way a plugin can't crash your browser.
      • If you are loading a plugin in your app, perhaps you should load it in such a way that your app can keep control over it.

        That's not far from:

        If you are loading an app in your OS, perhaps you should load it in such a way that your OS can keep control over it.

        It is possible to write an OS in which malicious programs can be run, and are unable to do anything harmful, due to reduced privileges. Most of us don't do this, even to the extent that most modern OSes allow.

        Think about it -- why stop with plugins?

    • Why? I mean help me understand how it simply farming the request to an external app, where the external app has the security problem, is a firefox problem?

      Because Internet browsers are one of the commonest entry-points for malware. While one could argue that this strictly speaking isn't a Firefox problem, I for one would still expect a modern web browser to place as many barriers as possible between itself and my OS. The fact that it is standard practice in IE 6/7 to sandbox apps like this as an internal plugin should be enough of a motivation for the Firefox team to go the same way. Being upstaged in security features by a Microsoft product is pretty embar

    • by Kalriath (849904)
      I assume this nearly caused a fatal exception in the minds of the submitter or editor. I mean, they can't blame it on Firefox, because it's the Browser of Gods. And they can't blame it on Quicktime, because it's Apple.

      They would have blamed it on IE, but they couldn't find any way to make any connection (and for the first time ever, IE just kind of sat off to the side and shrugged it's shoulders in disinterest that it isn't affected).
    • by erroneus (253617)
      It's not directly a firefox problem to be sure and I think everyone generally agrees with that. But where MSIE protects the user from the problem, so too should firefox if it's possible. Is it possible? Would such a facility in the Windows compile of firefox translate or improve user protection under MacOSX and Linux? And could such a facility also protect users if other vulnerabilities are identified in other commonly used extensions or plugins or whatever?

      Again, while it's not directly firefox's probl
    • by jvkjvk (102057) on Tuesday November 27, 2007 @06:12PM (#21497983)
      In a very narrow sense you are correct. The exploit is in Quicktime. However, in a general sense you are wrong because there are other browsers that, through their design and security models, do not allow this to happen. They shut down the offending code.

      It does not really matter that the 'actual' vulnerability is in Quicktime. Firefox is the application that controls whether this vulnerability will affect the user, since it is obvious that is it possible to have code in Firefox that stops this exploit from working.

      It is also a Firefox problem because any other plugin of this type is equally vulnerable using Firefox. From a secure coding point of view, is it your problem if you create an avenue whereby an exploit can occur? Damn straight! In this case, perhaps running the plugins in a controlled and monitored sandbox would be a good design change, instead of forking another process...
    • Because unlike IE and safari they didn't treat everything from the Internet as potentially dangerous and provide additional security mechanisms. This is not the first time they were caught out with such a issue.
    • Re: (Score:2, Interesting)

      by segra (867730)
      This must be a windows/macos problem then! If they hadn't loaded Firefox, Firefox couldnt of loaded Quicktime!
  • by skeftomai (1057866) on Tuesday November 27, 2007 @04:00PM (#21496165)
    Man, I'm using IE from now on. It's WAY more secure...
    • by Homology (639438) on Tuesday November 27, 2007 @04:15PM (#21496417)

      Man, I'm using IE from now on. It's WAY more secure...

      Funny that security is not touted as much as a feature anymore compared to the early Firefox releases.

      • by bcat24 (914105)
        Are you sure about that? Look at Mozilla's main Firefox page [mozilla.com]. What's the tagline? Oh, "faster, more secure, & customizable". What's spelled out in big letters with a checkmark next to it? How about this:

        Stay Secure on the Web

        Firefox continues to lead the way in online security, and now includes active protection from online scams to keep you safer.

        I'd say they're still pumping the security angle in their marketing stuff.

    • by syousef (465911)
      Man, I'm using IE from now on. It's WAY more secure...

      Damn. I thought I was safe. We need a new version of Firefox that dis-allows Quicktime. I vote we call it Pornzilla.

  • by rminsk (831757) on Tuesday November 27, 2007 @04:01PM (#21496181)
    So how is this a firefox problem? Firefox spawns off another process that has a flaw and it crashes. This process is completely outside of the memory space of firefox at this point.
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      How do so many people have a problem understanding this? It's simple:

      Non-Firefox browser: exploit fails to execute, instead protected by bounds checking

      Firefox: exploit executes unchecked

      How is that NOT a Firefox problem? If you don't use Firefox, you're immune. If you do, you're vulnerable. Even if the final cause is currently QuickTime, it's only a matter of time until some other plugin is found vulnerable and exploitable under Firefox but nowhere else.

      Besides, Firefox and IE use different plugin models.
      • by ByOhTek (1181381)
        Firefox assumes that if a user installs a plugin, it is trustable, the others do not.

        The plugin (and the app itself) are where the flaw lies. Now, firefox could sandbox its plugins, at some arbitrary performance penalty, as it's rivals do, and that would certainly fix the problem from the FireFox pov.

        But the problem is still within QuickTime, and any other non-sandboxing app could be corrupted. One of the things I leanred in my computer science classes, is that if you have error checking at every level, you
      • How do so many people have a problem understanding this? It's simple:

        Non-Firefox browser: exploit fails to execute, instead protected by bounds checking

        Firefox: exploit executes unchecked

        How is that NOT a Firefox problem? If you don't use Firefox, you're immune. If you do, you're vulnerable. Even if the final cause is currently QuickTime, it's only a matter of time until some other plugin is found vulnerable and exploitable under Firefox but nowhere else.

        Besides, Firefox and IE use different plugin models. Apparently the flaw is with Firefox's plugin model - clearly a Firefox problem.

        The headline should read "Vulnerability in QuickTime. IE mitigates attacks via its QT plugin. Firefox doesn't fix problem in QT."

        Per the Symantec article, the issue as related to Firefox is not with a plugin. The article states that QuickTime is run as a plugin inside IE and Safari. The vulnerable software is run inside the browser, and thus falls under the browser's control. http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_IE.html [symantec.com] shows this. However, in the case of Firefox, QuickTime is run as a standalone app outside the browser. See http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_FF.html [symantec.com]. In this case, Firefox gets Item A and sees that the system is configured to handle that type of item with Program B. Therefore, Firefox hands Item A to Program B. It works exactly the same as launching the malicious file from the Run box.

        Once again, it is not a problem with Firefox's plugin system because this is not running as a Firefox plugin. Let me correct your quote. See how that makes it a little less cut and dried?

        Non-Firefox browser: exploit fails to execute inside browser plugin, instead protected by bounds checking
        Firefox: exploit executes unchecked completely outside of Firefox

        If there were a vulnerability in your email or FTP program, would you blame Firefox because it hands off mailto: and ftp: links to those external programs? Should Firefox be held responsible for malicious files (of any type - Word, MP3, .exe, etc.) that you download and then run externally? The Symantec article also mentions emailing attachments as an attack vector. Uh oh, Outlook and Thunderbird are also flawed, because they hand the file off to QuickTime to open too!

        Also, judging by the IE pic, it appears that their "buffer overrun protection" is "crashing the browser". In this case, the QT vuln is also a DoS against IE, while Firefox does not have that vulnerability.

        I agree that every program should do what it can to limit damage. However, Firefox can't do much about completely external programs. In this case, Firefox has no understanding of the data being downloaded, just that the system is configured to handle the data with a certain program. The only way to fix this is with filename/URL blacklisting so it doesn't open the bad URL (gee, that's practical) or by coding Firefox to understand every type of data it encounters. Essentially, code every other program into Firefox itself so that it can determine if the data is good or bad before handing it off (gee, that's practical). If this were a problem with a Firefox plugin, I would agree with you fully. However, it's a completely external program which Firefox has no control over, so I can't disagree more.

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Because it is possible to have a better security model that doesnt spawn off another process.

      Kind of like how on an old operating system that doesnt have seperate address spaces it isnt the OSes fault if you run a program that brings down the entire system. But there is a better OS design they could have used that would have prevented that. Same thing here, there is a better browser design that would have prevented this.
      • Because it is possible to have a better security model that doesnt spawn off another process.


        As long as the other process isn't spawn with greater privileges, there's no problem, right? Oh... you're talking about Windows, where EVERYONE logs in with root privileges...

        Never mind then.
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Which is exactly the problem. It should not pass untrusted files to other trusted apps. It should keep it inside it's own buffer overflow protection bubble as IE does.

      If this was an IE problem, you know the tagging beta would be full of 'defectivebydesign' and 'haha' remarks. But this is Firefox, so all is forgiven.
    • So how is this a firefox problem? Firefox spawns off another process that has a flaw and it crashes. This process is completely outside of the memory space of firefox at this point.

      It isn't a Firefox problem. per se. Firefox did nothing but what was asked of it: call this user-specified external program to deal with a piece of data.

      Applications should be well-written and behaved, but we expect our OS to compensate for them when they are not. Browsers are evolving, becoming an operating environment unto themselves, and Firefox's competitors have taken a stance similar to the OS makers. Plug-ins should be well-written and behaved, but they'll take steps to minimize the damage caused

    • I dunno. IE users are not vulnerable. Firefox users are.

      Explain to me why the term "firefox" doesn't belong in the vulnerability writeup when only firefox users are exposed?
      • I dunno. IE users are not vulnerable. Firefox users are.

        Explain to me why the term "firefox" doesn't belong in the vulnerability writeup when only firefox users are exposed?

        1. Download the malicious file with IE. Don't play it inside IE, just save it somewhere.
        2. Double-click that file so that it opens in QuickTime.
        3. Add "Internet Explorer" to the vulnerability writeup.

        If you look at the Symantec article, the malicious file ran in the standalone QT app, not in a Firefox plugin. http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_FF.html [symantec.com]

        It's really apples and oranges. In the IE test, the malicious file was running inside IE via the plugin. In

        • Since it wasn't running in a Firefox plugin, the test really doesn't say anything at all about Firefox or its plugin system.
          Well, the fact that I am running firefox right now and I'm vulnerable to a remote code execution flaw, and I could close the flaw by running IE instead is really all that matters to me.

          Maybe I should check out IE7. I hear they have tabs now, and I'll be more secure.
    • by pla (258480)
      So how is this a firefox problem?

      Ah, you simply didn't take the blame-game quite far enough...

      See, if we can blame FireFox for flaws in 3rd party code it forks off, then we can also, by proxy, blame Windows for letting FireFox let the same buggy code run.

      It all balances out in the great karmic wheel of "Always Microsoft's Fault, Somehow".
  • Stupid, stupid, stupid summary.
    • Summary mentions IE 6/7 but what about Mac? No IE 6/7 there.
      I use Safari for most browsing and I just upgraded my Firefox to 2.0.0.10
    • by calebt3 (1098475)
      This does not happen in IE. And it seems like this problem spans all versions of Firefox that open Quicktime as a separate process rather than as an internal plugin.
    • I agree with your assesment of the summary.

      The CERT Vuln. Note [cert.org] gives somewhat better information and workarounds than I have seen elsewhere. (Some places say, "just block port 554 and you're safe." Nope.)

      I would like to note that while the exploit released doesn't work on IE, Symantec notes that, with work, a new exploit could target IE. (And likely other browsers. As people have noted elsewhere - this isn't really a browser issue.)

  • by Anonymous Coward on Tuesday November 27, 2007 @04:04PM (#21496231)
    So how many of these examples do we need to demonstrate that Apple software is not secure, and is only less exploited because it's less popular?
    • Re: (Score:2, Insightful)

      by Brainix (748988)
      Really? Where are the gozillion iTunes exploits? Or is iTunes "less popular" too?
    • by _Sprocket_ (42527)

      So how many of these examples do we need to demonstrate that Apple software is not secure, and is only less exploited because it's less popular?

      Try - one. This isn't it.

      This does show that Apple provides no magic bullet; Apple can (and does) put out crap code. If you think buying / using Apple software means never having to worry about bugs (and consequently exploits) then you've been deluded.

      What this doesn't do is settle why Apple's bugs don't become fertile ground for malware. In fact, since this particular exploit isn't (yet) actively used in the wild it doesn't even enter the debate. But then it's only a matter of time. Industrious malw

  • If it's just a simple buffer overflow, then shouldn't execute disable (NX bit for AMD, XD for stupid Intel who won't follow established standards) bit catch it for XP SP2 and other systems?
    • If it's just a simple buffer overflow, then shouldn't execute disable (NX bit for AMD, XD for stupid Intel who won't follow established standards) bit catch it for XP SP2 and other systems?

      Good question. I was thinking the same thing. Someone mod parent up ... and can anyone provide an answer?

  • Troll -1 (Score:4, Funny)

    by dgr73 (1055610) on Tuesday November 27, 2007 @04:05PM (#21496245)
    "Quicktime bug!?! Oh sweet Joseph of Arimathea!!!! Quick, inform the users.. YES BOTH OF THEM!"
    • MOD Parent Funnt (Score:3, Insightful)

      by Bryansix (761547)
      Cause that is what his post is.
    • by steelfood (895457)
      The interesting thing is, while Quicktime might not have two users, as an embedded player for online media, it has largely been supplanted as the defacto online media player and format by flash and flash videos. It seems while Quicktime's use might not be declining, it hasn't been gaining either even while online videos grow ever-more popular. The same could be said for WMV.

      Not that it matters, as all it takes is one bad site with an embedded malicious video...
  • by PhxBlue (562201) on Tuesday November 27, 2007 @04:34PM (#21496653) Homepage Journal

    Software should be pessimistic. Design the code to handle incoming requests as potentially malicious, and you'll never be disappointed.

  • Phew (Score:2, Insightful)

    by lluBdeR (466879)
    Man am I glad my system seems to deal with this problem proactively: The Quicktime plugin crashes anything that contains it almost as soon as it's drawn!

    Thank you Apple for protecting me from, well, Apple!
  • A bigger problem (Score:5, Insightful)

    by 0123456 (636235) on Tuesday November 27, 2007 @04:59PM (#21497073)
    Is that there's apparently no way to simply disable a plugin in Firefox. In order to completely disable Quacktime I've had to go through various plugin directories physically deleting the files, and next time I have to update it all the bloody plugins will be back again.

    Why can't about:plugins just have a 'disable' box on each plugin? Or, better yet, a standard preferences menu list which just lets me disable them there and then?
    • Re:A bigger problem (Score:5, Informative)

      by post.scriptum (953120) on Tuesday November 27, 2007 @05:30PM (#21497483) Homepage
      You can disable plugins in Firefox 3.0 beta 1.
    • noscript now lets you approve or deny certain plugins based on domain. As of 1.1.8.3 it only specifies between flash, silverlight, java, and "others", but it is a good start :-)
    • by caitsith01 (606117) on Tuesday November 27, 2007 @07:46PM (#21499039) Journal
      1. Quicktime doesn't ask whether you actually want to install the browser plugin when you install the QT player

      2. You HAVE to install Quicktime if you want to use iTunes

      3. You (sort of) HAVE to install iTunes if you want to use an iPod (although I strongly recommend people consider Winamp, which has native support now, or the excellent ml_ipod plugin for Winamp)

      4. Quicktime's browser plugin commandeers associations with a whole range of media types whether you want it to or not

      5. QT doesn't give you the option of launching QT in a totally separate window - it automatically opens things embedded in the browser and starts playing them

      6. QT seems to totally screw the ability to get Firefox to go back to launching media files with the good old "Open with..." dialog box, which lets you decide whether to open it, what to open it with, or whether to save it to disk

      7. QT has absolutely no regard for what other media players and file association you might already have configured for your browser

      and I guess we can add 8, although it was already implied

      8. QT is a buggy p.o.s. with worse functionality and security than any half-decent media player including VLC, Winamp, and (in my humble opinion) even the dreaded WMP.

      All of this reflects Apple's horrible attitude to developing software for the PC, which is essentially that they will utterly ignore the now well-established conventions of the platform in terms of installation behaviour, GUI and menu structure, and plugin behaviour and just run roughshod over the whole thing. Which would probably be more acceptable if their software JUST WORKED and was as fully featured as other options on the PC - but unfortunately that is not the case.
  • I just went to change the way that files are handled by Firefox as a work around.

    The dialog requires that each file type be individually changed.

    This would seem to be a VERY poor design.
  • Symantec is wrong... (Score:4, Informative)

    by Anonymous Coward on Tuesday November 27, 2007 @05:16PM (#21497321)
    http://erratasec.blogspot.com/2007/11/apple-quicktime-rtsp-update.html [blogspot.com]
    http://erratasec.blogspot.com/2007/11/new-rtsp-quicktime-flaw-affects-both.html [blogspot.com]

    Standard buffer overflow protection doesn't work, Symantec was wrong. It seems that parts of Quicktime are not enabled for ASLR making these attacks possible.
    • Re: (Score:3, Informative)

      by makomk (752139)
      Someone please mod parent up. Basically, there are two aspects to this:
      1) Someone has apparently figured out a way to launch the exploit that avoids the protection works correctly in Internet Explorer
      2) QuickTime (and its libraries) are not marked to allow ALSR, which would make this much harder to exploit.
  • Website's fault (Score:2, Insightful)

    by nbucking (872813)
    This problem's principle fault lies with Apple. But it seems that they are sitting on their asses because it seems to be a problem that has been around for awhile. So those websites that use quicktime should use flash player, media player, or realplayer. Heck I have gotten video lan to take care of them all but those who do not want the trouble should blame the stupid websites. As far as I am concerned about firefox not handling apple's screwup as well as the other browsers it is scary. Yet if quicktim
  • The only thing worse than QuickTime is RealPlayer. Both are asstastic pieces of shit that are NOT, under any circumstances, allowed on any of my machines.

    This is Apple's screwup in its code. Could FireFox handle it differently? Sure. But it ain't the code that they wrote that is the problem here.
  • I'm been on Ubuntu for six months or so (Linux for wimps like me - and there was much rejoicing!), But the best thing I had for Media on XP is Mplayer.

    I've have strongly disliked Quicktime for a long time, because it sticks it's little fingerprints into things worse than anything I've ever seen that's not from Redmond. I ripped my XP configuration out with Nlite, and setup my install CD with registry keys that hook everything to Mplayer. Short, sweet, runs everything that's not encrypted, and it doesn't try
  • by Cyko_01 (1092499) on Tuesday November 27, 2007 @07:12PM (#21498663) Homepage
    if you are using 2.0.0.10 or later then you should already be protected against this exploit. THAT is why firefox is still the best browser available

Those who do not understand Unix are condemned to reinvent it, poorly. -- Henry Spencer

Working...