A researcher has demonstrated how a security bug in Apple’s QuickTime media player that was disclosed a year ago can cause Firefox to install backdoors and other malware on a fully patched computer. He said both Windows and Mac systems are vulnerable.
The researcher, Petko D. Petkov, on Wednesday posted proof-of-concept code that shows how the exploit can be used to run privileged code on an unwitting user’s machine. Click here to find out more!
The XML code calls up a QuickTime-supported file such as foo.mp3, which doesn’t exist on the victim’s machine. The code then instructs QuickTime to load a second file. The thing is, QuickTime isn’t particularly picky about the type of URLs it passes on to Firefox, so attackers are free to include addresses with Firefox’s “chrome” parameter, which is used to run privileged code on a user’s machine.
“On its own, the QuickTime issue is less critical,” Petkov said in an email. “Firefox is not vulnerable either. But when put together, they create a very dangerous combination.”
Apple, Quick Time Player, Media Player, Security, Falw, Bug, Vulnerability, Windows, Mac