Firefox Susceptible To QuickTime Security Flaw 231
Hugh Pickens writes "Apple's QuickTime media player software contains a previously undocumented security weakness in the way QuickTime handles the RTSP media-streaming protocol. The vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Symantec has tested the publicly available exploit code and found that it failed to work properly against Internet Explorer 6/7 or Safari 3 Beta but the exploit works against Firefox if users have chosen QuickTime as the default player for multimedia formats. Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control, while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur."
And this is a firefox problem... (Score:5, Insightful)
Re:And this is a firefox problem... (Score:5, Insightful)
Guess they want the more hits by throwing Fox into the mess though, but really, why have Mozilla fix Apple's flaws?
Re:And this is a firefox problem... (Score:5, Insightful)
Besides, this is Slashdot. Since when did the headlines make sense?
How is this a firefox problem? (Score:3, Insightful)
Apple software not secure. (Score:4, Insightful)
QuickTime == Java (Score:1, Insightful)
taskbar icon, using valuable desktop space, just to tell me, yay! you have QuickTime installed!
I make it a habit to simply not view quicktime content, it's usually not worth my 'time' quick or not.
Because of the end appearance (Score:5, Insightful)
So while it isn't FF's responsibility to fix the specific bug, it could be an indication of how things should be done better.
MOD Parent Funnt (Score:3, Insightful)
Re:And this is a firefox problem... (Score:2, Insightful)
But that's just me talkin'.
Re:That does it for me... (Score:4, Insightful)
Funny that security is not touted as much as a feature anymore compared to the early Firefox releases.
Re:Safety through laziness. (Score:3, Insightful)
Re:And this is a firefox problem... (Score:2, Insightful)
Re:How is this a firefox problem? (Score:2, Insightful)
Kind of like how on an old operating system that doesnt have seperate address spaces it isnt the OSes fault if you run a program that brings down the entire system. But there is a better OS design they could have used that would have prevented that. Same thing here, there is a better browser design that would have prevented this.
Design for maliciousness (Score:4, Insightful)
Software should be pessimistic. Design the code to handle incoming requests as potentially malicious, and you'll never be disappointed.
Phew (Score:2, Insightful)
Thank you Apple for protecting me from, well, Apple!
Re:How is this a firefox problem? (Score:2, Insightful)
If this was an IE problem, you know the tagging beta would be full of 'defectivebydesign' and 'haha' remarks. But this is Firefox, so all is forgiven.
Re:Apple software not secure. (Score:2, Insightful)
Re:And this is a firefox problem... (Score:4, Insightful)
So taking your logic further, the OS should be responsible for all of this, so it's not even Firefox's problem. ^_^ Apps should be purpose built and responsible for that purpose. If you do the blame game up the line, you'll find tremendous bloat (more so than it already is) creeping into all first-line programs and even more so to the OS. If you don't blame Microsoft and OSX (the only two platforms Quicktime runs on, IIRC) as much as Firefox, you have violated your own thinking line.
A bigger problem (Score:5, Insightful)
Why can't about:plugins just have a 'disable' box on each plugin? Or, better yet, a standard preferences menu list which just lets me disable them there and then?
Re:Apple software not secure. (Score:2, Insightful)
Website's fault (Score:2, Insightful)
Re:And this is a firefox problem... (Score:1, Insightful)
Re:And this is a firefox problem... (Score:3, Insightful)
Re:And this is a firefox problem... (Score:3, Insightful)
Re:And this is a firefox problem... (Score:5, Insightful)
IE uses a plugin interface to deal with QuickTime. As such, it has a standard framework which does some bounds checking and can find buffer overflows like this one and kill a plugin (or iexplore.exe if necessary) preventing damage.
Firefox just passes parameters on to an external program.
Pick your poison, you can probably make justifications for either, but to me the IE method makes more sense. It's embedded content, it should be handled as a plugin to the parent application. You are a programmer, I'm sure you are familiar with the concepts of parents and children
Re:Quicktime - default??? (Score:3, Insightful)
Re:And this is a firefox problem... (Score:4, Insightful)
OTOH, babysitting probably takes up more resources so a paranoid OS will slow down. But IMHO the solution is still to taint dangerous stuff (what you got just downloaded) and have the OS babysit it.
Re:And this is a firefox problem... (Score:1, Insightful)
As an Apple user since 1979, all I can say is: You won't get bashed by me. I use VLC and MPlayer for just about everything except the wmv files that Flip4Mac handles as a QT plugin... heheh, using QT for Windows Media. The QuickTime Pro player on an adequate Mac, with the prefs set 'just right', is not a bad thing, but... when you absolutely want to playback anything (with minor exceptions), VLC is the way to go on the Mac.
I've seen latest QT Pro, in Leopard, on 4 Macs here, 'kick' an mp3 on the grounds that it "Can't play this movie file type", and all I can say is, WTF? Not sure if that's all QT's fault, or it's getting an assist from the wonky Apple HFS+ (UNIX-incompatible) file system, but whatever... vive la France!
Re:Quicktime is the FF plugin from hell (Score:3, Insightful)
Yeah, because without Quicktime installed in Windows it is simply not possible to do kind of important stuff like, I dunno... play music, is it?
Microsoft better make it part of the default Windows install pronto to give millions of users worldwide the ability to actually play music for the first time ever.
Of course, that old version of iTunes which didn't require Quicktime and didn't play music was a bit pointless, too.