Unpatched QuickTime Bug Threatens Firefox - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications

Unpatched QuickTime Bug Threatens Firefox

A penetration tester said he posted an exploit demonstration to make a point after Apple "ignored" a QuickTime vulnerability that he discovered a year ago.

Mozilla confirmed that a year-old unpatched vulnerability in Apple's QuickTime media player opens up a backdoor that could enable a hacker to break into Firefox.

Petko D. Petkov, a penetration tester, said in a blog post that the "vulnerability can lead to a full compromise of the browser and maybe even the underlying operating system." Petkov released information about two QuickTime bugs this same month last year, but he noted that only one has been patched. The other remains a problem, especially for users of the open-source Firefox browser.

The researcher posted several proof-of-concept exploits on his blog.

"Petkov provided proof-of-concept code that may be easily converted into an exploit, so users should consider this a very serious issue," wrote Window Snyder, the top security person at Mozilla. "If Firefox is the default browser when a user plays a malicious media file handled by QuickTime, an attacker can use a vulnerability in QuickTime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in QuickTime. So far this is only reproducible on Windows."

The researcher said in his blog, Gnucitizen, that he posted a demonstration of how the bug could be used to hack into Firefox to make a point. "The first vulnerability was fixed, but the second one was completely ignored," he wrote. "I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack."

Apple issued at least three separate patch updates for QuickTime in the last several months.

QuickTime is Apple's multimedia technology for dealing with video, sound, animation, text, and music. The technology is widely used. The highly popular iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
Commentary
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
Slideshows
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll