Year-old QuickTime Hole May Leave You at Risk
Apple's QuickTime media player is incredibly popular. One of the reasons for that is it provides media playback and display capabilities for other popular software ? for instance, iTunes. You frequently might not even realize that QuickTime is installed.
And that could be bad for you.
This week, proof-of-concept code was posted that could be used to take over your PC, or to let an attacker carry out a whole range of lesser exploits. All you have to be doing is running Firefox on Windows and come across a booby-trapped link, or even a rigged banner ad. You click on the bad link on a Website or in an HTML e-mail, or you view the ad, and it triggers QuickTime to load and begin playing back the file.
If this were a real attack, you'd already be hosed. Luckily, there haven't been any attacks in the wild yet. But since the code for the exploit is already out there for re-use by crackers, this is a real zero-day dilemma.
The ironic thing is that the flaw in QuickTime has been public for more than a year, yet Apple hasn't fixed it, according to posts on "creative hacker" site GNUCITIZEN.
"It seams that QuickTime media formats can hack into Firefox. The result of this vulnerability can lead to full compromise of the browser and maybe even the underlaying [sic] operating system. Don?t try this at home."
And the postings include working code.
I spoke with Paul Henry, vice president of technology evangelism at Secure Computing Corp. in San Jose, Calif., who just tried out the exploits earlier today.
From his quick tests, he said he found the problem primarily affects Firefox running on Windows. On a Mac, he got an error, while on a Linux box nothing happened. That's not comprehensive testing that you'd do with dozens of machines in a test lab, of course, so this is just fair warning.
Okay, now the bad news. There isn't currently a patch or a work around, Henry said. "You just have to not click on a QuickTime file that you don't trust." Of course, then you've got the dilemma of figuring out whether or not to trust any QuickTime files.
The GNUCITIZEN site says the demo code could be pasted into a file with any of more than 80 different file extentions ? including mp3, m4a, mpg, pic, wav and many others. So just looking at a filename might not help you a bit.
It's not fool proof but the old saying goes that you shouldn't go anywhere on the Web you wouldn't want your mom to see. Shadier places might be more dangerous ? but then again a popular user-posted content site like someone's MySpace page might be just as dangerous. You just never know.
Henry said ? and I agree with him ? that, especially since so many people, like a lot of iTunes users, may not even realize QuickTime is present on their systems, a patch or update for this is needed pronto.
I've got a call into Apple's media relations department to see what they'll tell me, and will keep you informed.
PC World's Marketplace
PC World's Free Whitepapers
tech news tech blogs community & forums laptop prices software reviews downloads
so if the problem only affects PCs running windows, what the apple PR will tell you is to get a mac, lol