QuickTime Flaw Poses Risk to Mac & Windows Systems
In a demonstration by the security researcher Petko D. Petkov, it was shown how vulnerability in QuickTime media player of Apple software can lead Firefox browser to plant backdoors and other types of malware on a system even if it is fully patched. Petkov said the flaw affects both Mac and Windows systems.
On September 12, 2007, the researcher posted a proof-of-concept code on the Internet to demonstrate how the exploit enables to execute privileged code on an unsuspecting user's PC. The XML code introduces foo.mp3, a file that QuickTime supports and which is not found on the affected PC.
The proof-of-concept makes an impact on Mozilla's chrome engine. The flaw in QuickTime affects all versions of Internet Explorer (IE). However, the impact it makes is less severe because of the strict security policies by IE for scripts regarding local zones, Petkov said in a statement as published by Builderau on September 13, 2007. The proof-of-concept also shows how apparently less critical security holes, when combined with other flaws, can be enlarged to become major issues. He added that old QuickTime was not worth repairing when Apple security wonks figured this year.
The code subsequently prompts QuickTime to load another file on the victim's computer. Since QuickTime is not choosy about the URLs it transfers to Firefox, there is no restriction on attackers to include any address using Firefox's chrome component in order to execute privileged code on an affected PC. By exploiting the vulnerability, the attacker can easily download spyware, adware, rootkit and such kinds of malware on a victim's system within seconds.
Related article: QuickTime Vulnerability Capable of Hijacking Macs & PCs
» SPAMfighter News - 27-09-2007