Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


QuickTime Flaw Poses Risk to Mac & Windows Systems

In a demonstration by the security researcher Petko D. Petkov, it was shown how vulnerability in QuickTime media player of Apple software can lead Firefox browser to plant backdoors and other types of malware on a system even if it is fully patched. Petkov said the flaw affects both Mac and Windows systems.

On September 12, 2007, the researcher posted a proof-of-concept code on the Internet to demonstrate how the exploit enables to execute privileged code on an unsuspecting user's PC. The XML code introduces foo.mp3, a file that QuickTime supports and which is not found on the affected PC.

The proof-of-concept makes an impact on Mozilla's chrome engine. The flaw in QuickTime affects all versions of Internet Explorer (IE). However, the impact it makes is less severe because of the strict security policies by IE for scripts regarding local zones, Petkov said in a statement as published by Builderau on September 13, 2007. The proof-of-concept also shows how apparently less critical security holes, when combined with other flaws, can be enlarged to become major issues. He added that old QuickTime was not worth repairing when Apple security wonks figured this year.

The code subsequently prompts QuickTime to load another file on the victim's computer. Since QuickTime is not choosy about the URLs it transfers to Firefox, there is no restriction on attackers to include any address using Firefox's chrome component in order to execute privileged code on an affected PC. By exploiting the vulnerability, the attacker can easily download spyware, adware, rootkit and such kinds of malware on a victim's system within seconds.

The vulnerability is also flawed in the manner by which QuickTime loads XML files containing links to video or audio media and meta-data that pretend to be the real file. It is also possible to insert JavaScript into the XML file attributes, which runs by default on opening the file. QuickTime allows transparent use of these files where media files are used and because of that, the exploit code could infect any video or audio file like mpg, mp3, png and avi that QuickTime intends to run. The blog that published the security hole contains 42 different file extensions that have been affected.

Related article: QuickTime Vulnerability Capable of Hijacking Macs & PCs

» SPAMfighter News - 9/27/2007

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page