Severe QuickTime vulnerability in Firefox disclosed

[xpgeek]

From Mozilla Links :

GNUCITIZEN, a “creative hacker organization”, has disclosed details on a severe security vulnerability affecting Firefox users that have installed the QuickTime plugin on Windows or Mac OS X, which at a minimum includes all iTunes users.

The vulnerability is based on QuickTime Media Link files (.qtl), simple XML files that include details about the media file to be played (like an .avi, .mov or .mp3) and other settings. However one of these parameters, qtnext, allows the publisher to specify a URL (web address) to be displayed when the media file ends. The URL could be a JavaScript instruction like those used in thousands of web pages and services currently.

To this point there is no problem. But Firefox itself is controlled through JavaScript code and libraries in an isolated environment that separates it from web pages code. The QuickTime plugin however can access the Firefox code just as any other object and manipulate it to run any application in an attacked computer.

To make things worse, the QTL files can be renamed as .mp3, .mpg, .avi or any of a couple of dozen file formats QuickTime supports and it will handle them properly, easing the scenario for possible attacks.

The test cases posted by GNUCITIZEN are really scary: click on an mp3 and the QuickTime plugin tries to load the file which doesn’t exist so it quickly completes and launches Windows Calculator. But it could be any application with any parameter.

It’s not clear to me where the responsibility lies, but QuickTime enforcing an appropriate file format naming would at least help to know when a site is serving a file that could possibly include some scripting.

On the other hand, Firefox shouldn’t allow a plugin to script its code. To aggravate things, this is the third time GNUCITIZEN discloses this same vulnerability: it was initially disclosed about a year ago and again some months later.

Given the severity of the vulnerability it needs to be fixed now.

In the meantime if you have the QuickTime plugin installed, virtually any media file could take control of your computer so I suggest disabling the plugin as soon as possible.

I guess there are more civilized ways of doing this but while we find it, just rename the plugins folder in the QuickTime install location. On Windows, by default it is C:\Program Files\QuickTime. Media files will still be associated with the plugin so clicking on media file will open a blank page, so this is just a quick protection.

[xpgeek]

I use QT Lite, which is the new quicktime alternative, as he had to stop producing the old one as he was distributing the Pro version of the codec with it, this one the exact same thing as old quicktime alternative, well minus the Media Player Classic coming with it too, and made by same guy, but it still occasionally updated and now contains only the free version of the codec.

Anyway, since I don't even watch quicktime trailers or video all that often anyway, I just went right ahead and deleted the quicktime plugins from my Firefox plugins folder. They're still in the QT Lite folder for when I want to put them back, but for now I won't be until I actually bout to use it, on a site I trust. This sounds pretty damn serious and I don't want the quicktime plugin even in my Firefox plugin folder for now.

[xpgeek]

To remove the Quicktime browser plugin from Firefox entirely, simply open Windows Explorer and navigate to the following folder :
C (or whatever root Windows drive is) / Program Files / Mozilla Firefox (or Bon Echo/Minefield/whatever build of Firefox you use) / Plugins

And delete all of the following files if found there :

Quicktime browser plugin files :
npqtplugin.dll
npqtplugin2.dll
npqtplugin3.dll
npqtplugin4.dll
npqtplugin5.dll
npqtplugin6.dll
npqtplugin7.dll
QuickTimePlugin.class

Quicktime Alternative and QT Lite may not have 7 of those files and only 5, and also may have the following file as well :
nsIQTScriptablePlugin.xpt

These are all the Quicktime browser plugin files for Firefox. Until this issue is fixed, it is my opinion that it is not safe to have Quicktime installed into Firefox AT ALL.

Note : This exploit affects both Firefox on Windows AND on Mac, but, I am not a Mac person so I am unable to name specific file locations on that platform, or if the file names are even the same.

[xpgeek]

Last update, just want to get all the facts out, its pretty damn serious, was jus reading the blog of the guy that exposed it, hes got a few expamples up, that aren't harmful but jus to show it works, they look like .mp3 files to me, even says .mp3 in the status bar when moving mouse over, can't tell at all it is actually a .qtl file in disguise, this is veryy easily exploitable if people start using it for bad which of course people will, so thats it no quicktime for me til they fix this.

Oh, AND it affects IE too, tho not as critically, so its not a Firefox bug but almost entirely a Quicktime one.

Quicktime the ONLY Apple product i can even stand, lol, cause I like watching movie trailers in awesome HD quality, but, flash video fine for me for a while.

[Ryan Wagner]

Yay, I don't even install Quicktime because of the problems it can cause, and vulnerabilities are also discovered quite frequently. Thanks for all the info though, I've warned some of my friends about this so they can keep an eye out.

[IceDogg]

Noscript does it's job on this. Even if the site is allowed. Source http://hackademix.net/2007/09/12/noscript-pwns-quicktime-pwning-firefox/

That is Giorgio Maone’s site. The Noscript developer.

[xpgeek]

Noscript does it's job on this. Even if the site is allowed. Source http://hackademix.net/2007/09/12/noscript-pwns-quicktime-pwning-firefox/

That is Giorgio Maone’s site. The Noscript developer.

I put the quicktime browser plugins back, installed Noscript, and went and tried the example files again. You're right it stops it. Sweet.

[El Guru (Al)]

I'm already using no scripts, so that is good to know.  I'll blog this tomorrow, got leave for work soon.

[Ryan Wagner]

Noscript does it's job on this. Even if the site is allowed. Source http://hackademix.net/2007/09/12/noscript-pwns-quicktime-pwning-firefox/

That is Giorgio Maone’s site. The Noscript developer.

That's fricken awesome! I can't believe that even if the site is whitelisted it still works.

[xpgeek]

But then after using it for a few hours, I remember why I hate the NoScript extension. Its such a pain in the ass. I mean its a good extension and does what it does, but, every 5 minutes its oh somethings not working on this site I gotta allow something to use javascript, and often gotta allow more then jus the top level domain too. Its a tedious way to browse the web. More secure? Yes. Actually worth the trouble it is to use it? Not really.

[spock1982 (Ernie)]

But then after using it for a few hours, I remember why I hate the NoScript extension. Its such a pain in the ass. I mean its a good extension and does what it does, but, every 5 minutes its oh somethings not working on this site I gotta allow something to use javascript, and often gotta allow more then jus the top level domain too. Its a tedious way to browse the web. More secure? Yes. Actually worth the trouble it is to use it? Not really.

I agree too tedious for me as well. I try and be cautious, but fiddling with NoScript is painful.

[IceDogg]

I have to agree it takes some getting use to and if you visit a LOT of new sites daily it can be a pain. I go back and forth using it and not using it. It does slow down the browser a little as well, I've went back and forth enough to have NO DOUBT about that. No numbers or anything. But 99 percent of new vulnerabilitys are from javascript related stuff, so if you are paranoid it's a very good way to protect yourself. ymmv

[El Guru (Al)]

I had removed No Scripts a while back because of that reason.  However because Claus Valca on Grand Stream Dreams was raving about it so much I reinstalled it a couple weeks back.  Much to my surprise I found it much easier to use now.  But then again I don't do that much recreational surfing, I have my usual sites I visit.  Now, I need to go work on a blog entry for this vulnerability & NoSripts.  Only one of half dozen things I got planned to get done on my two days off. 

[xpgeek]

Firefox 2.0.0.7 due out tomorrow, Sept. 17
Quick release to fix the "Quicktime flaw abuses Firefox" vulnerability (Bug 395942).

Source

Update : Yep fixed. Jus installed 2.0.0.7 rc2, put Quicktime browser plugins back in place, went n clicked on malicious quicktime test file, uses exploit but only opens Windows calculator or IE to show that it works, jus pops open a second firefox window now, but does NOT open anything now like its supposed to now, fixed.