Friday, 14 September 2007

Firefox, iTunes, QuickTime: security risk






UPDATE: fixed in Firefox 2.0.07, do upgrade if you haven't already.

If you use Firefox as your default browser and have Apple's QuickTime plug-in (you probably do if you have QuickTime - see the mozdev site - or iTunes), note that there's a security risk with QuickTime link files in Firefox [UPDATE: should have added the default browser bit earlier, sorry].

That's not just .qtl links but it seems even .mp3, .wav, .3gp, .png and .mov links - for a longer list of possibly risky file extensions and details of the problem, as well as demo links you can click on to see what an attacker could do, see 0DAY: QuickTime pwns Firefox.

A bad hacker could set up a dodgy website so that when you click one of those types of links on that site, they could get into your system by secretly running Javascript in Fox - e.g. install a backdoor in your computer.

Heise Security, where I first read about this, were able to reproduce the problem with Firefox 2.0.0.6 and QuickTime 7.2.0.240 under Windows XP with Service Pack 2.

How do you protect yourself? Until there's an update with a fix, Heise suggest that you should:
You can guess which course I've taken (or rather, had already taken)!

UPDATE: fixed in Firefox 2.0.07, do upgrade if you haven't already.

No comments: