Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox Susceptible To QuickTime Security Flaw

kdawson posted more than 6 years ago | from the exploit-available-in-the-wild dept.

Security 231

Hugh Pickens writes "Apple's QuickTime media player software contains a previously undocumented security weakness in the way QuickTime handles the RTSP media-streaming protocol. The vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Symantec has tested the publicly available exploit code and found that it failed to work properly against Internet Explorer 6/7 or Safari 3 Beta but the exploit works against Firefox if users have chosen QuickTime as the default player for multimedia formats. Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control, while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur."

Sorry! There are no comments related to the filter you selected.

And this is a firefox problem... (4, Insightful)

Shoeler (180797) | more than 6 years ago | (#21496135)

Why? I mean help me understand how it simply farming the request to an external app, where the external app has the security problem, is a firefox problem?

Re:And this is a firefox problem... (4, Insightful)

Volante3192 (953645) | more than 6 years ago | (#21496177)

Exactly...the way I'm reading this, if someone opens whatever this is straight in Quicktime it'd be vulnerable.

Guess they want the more hits by throwing Fox into the mess though, but really, why have Mozilla fix Apple's flaws?

So that's why (1)

Gr8Apes (679165) | more than 6 years ago | (#21497149)

So that's why FF updated by 3pm.

Re:And this is a firefox problem... (5, Insightful)

aredubya74 (266988) | more than 6 years ago | (#21496179)

It's not a Firefox problem inasmuchas a fix to Firefox itself will fix the problem. However, it's a reasonable idea to provide a heads-up to Firefox users (savvy and not-so-savvy) that a popular associated app it interacts with contains a flaw that appears to be unique to said pairing.

Besides, this is Slashdot. Since when did the headlines make sense?

Re:And this is a firefox problem... (0)

Anonymous Coward | more than 6 years ago | (#21496227)

Well in this case the headline made perfect sense.

Re:And this is a firefox problem... (1)

morgan_greywolf (835522) | more than 6 years ago | (#21496183)

You're right. It's not. But that's how it's going to be perceived by end-users because the exploit happens with Firefox, but not with Safari or IE.

Here's the deal: This is a QuickTime problem, not a Firefox problem. Apple needs to fix QuickTime. There should be nothing wrong with Firefox handing off the request to an application that's supposed to handle it correct.

Re:And this is a firefox problem... (4, Interesting)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21496365)

Here's the deal: This is a QuickTime problem, not a Firefox problem. Apple needs to fix QuickTime. There should be nothing wrong with Firefox handing off the request to an application that's supposed to handle it correct.

I 90% agree with you; however, I do think operating systems should handle transactions with internet applications differently than normal processes. Both Vista and Leopard and any Linux distro with SELinux enhancements has the ability to sandbox certain processes for added security. The reason this exploit does not work with IE is because runs it as a plug-in and sandboxes all of those plug-ins within IE. I'd argue that any process to which data is "handed off" by a Web browser, e-mail client, or chat client should run in a sandbox as an extra layer of protection against this common type of attack.

Yeah, Quicktime is the culprit here and Firefox is not to blame, but I'd argue that the OS (all of them currently) is partly to blame for not sandboxing data coming into the machine via the Web.

Re:And this is a firefox problem... (2, Insightful)

purpledinoz (573045) | more than 6 years ago | (#21496467)

My solution is to not use QuickTime. What pisses me off about QT is that it puts itself in the Windows startup, eating up memory for no reason. In fact, I stopped using iTunes all together because it installs a couple of services AND QuickTime. Plus, it's such a pain in the ass when I plug in my iPod to charge, and my computer starts to kill itself loading up iTunes automatically. I use Winamp with the external ml_ipod plugin. It's much better.

Re:And this is a firefox problem... (1)

Nerdposeur (910128) | more than 6 years ago | (#21497297)

I feel your pain. But you can change your setting so that when you plug in your iPod, it doesn't load iTunes automatically. I did.

I still use iTunes, but it is not my default player. That way if I just want to open a sound file real quick, I can let Winamp handle that in 1 second. But if I'm going to start a nice long playlist while I hang out, I use iTunes.

Re:And this is a firefox problem... (0, Offtopic)

m4ximusprim3 (619388) | more than 6 years ago | (#21496185)

Yeah, and how is it the US's problem if we farm out security to an external security firm like blackwa... Oh, wait, you mean it reflects badly on us? What? Why don't people just realize that it's not our fault?

Re:And this is a firefox problem... (1)

the_humeister (922869) | more than 6 years ago | (#21496225)

I don't know. But IE gets blamed for similar sorts of situations as well (but not this particular instance).

Re:And this is a firefox problem... (5, Interesting)

everphilski (877346) | more than 6 years ago | (#21496243)

It isn't a firefox problem, but then again, it isn't an IE problem because Internet Explorer has some buffer overflow protection which prevents further execution.

Glass half empty, half full type thing. Of course, Quicktime is causing the problem, but would you rather have a browser that arbitrarily trusts the plugin, or does some bounds checking?

Re:And this is a firefox problem... (2, Insightful)

Shoeler (180797) | more than 6 years ago | (#21496393)

Quicktime is causing the problem, but would you rather have a browser that arbitrarily trusts the plugin, or does some bounds checking?
I'd rather have a browser that focuses on making sites render most correctly, most quickly, and where only its core functions are concerns of the already burdened developers.

But that's just me talkin'.

Re:And this is a firefox problem... (0, Troll)

Bill, Shooter of Bul (629286) | more than 6 years ago | (#21496673)

I don't want a large number of people using a browser that doesn't take security seriously. programs have bugs, many of them turn out to be exploitable. For the good of everyone using the net, the dominant technologies should be those that minimize the threat of malicious code. We're just beginning to see the damage that can be wrought by bot nets. So I would hope that in light of your preferences, you would use lnyx, or create your own browser and never share it with anyone else.

Re:And this is a firefox problem... (3, Insightful)

Shoeler (180797) | more than 6 years ago | (#21496939)

Look - I'm a programmer. It may sound pedantic of me, but I believe programs should be responsible only for what they are designed to do. Clearly this means being responsive and indeed responsible for their own security. Lapses in one's own program are unavoidable but should be quickly and non-quietly fixed. It's an interesting suggestion that the paradigm needs to shift to the parent app being solely responsible for its children's security.

So taking your logic further, the OS should be responsible for all of this, so it's not even Firefox's problem. ^_^ Apps should be purpose built and responsible for that purpose. If you do the blame game up the line, you'll find tremendous bloat (more so than it already is) creeping into all first-line programs and even more so to the OS. If you don't blame Microsoft and OSX (the only two platforms Quicktime runs on, IIRC) as much as Firefox, you have violated your own thinking line.

Re:And this is a firefox problem... (0)

lgw (121541) | more than 6 years ago | (#21497221)

But the purpose of a web browser is to *safely* render content from teh interwebs. Handing off rendering to an unmonitored process fails at this. Rendering in a monitored sandbox is safer (but not perfect). This is Firefox's problem, because Firefox runs at the border of your box.

Re:And this is a firefox problem... (1)

pembo13 (770295) | more than 6 years ago | (#21496413)

Well if you volunteering installed the plugin, I just assumed the browser would trust it. Interesting to find out otherwise. Does that mean the Quicktime plugin could take IE down with it in a crash?

MOD PARENT UP (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21496419)

You nailed it exactly. It isnt a programming error in Firefox, its just that the way it was architected allows some security holes that wouldnt happen had they designed it the way IE was designed.

Re:MOD PARENT UP (0)

Anonymous Coward | more than 6 years ago | (#21496623)

You mean tying it directly into the OS?

Re:And this is a firefox problem... (4, Funny)

sm62704 (957197) | more than 6 years ago | (#21496503)

Glass half empty, half full type thing.

The optimist says the glass is half full. The pessimist says the glass is half empty. The scientist says there is .3764666437 litres. The realist says "there's not enough". The doctor says "he's dead, Jim".

Re:And this is a firefox problem... (4, Funny)

znode (647753) | more than 6 years ago | (#21496681)

The engineer says that the glass is twice as large as it needs to be.

Jack Bauer found out where the glass was, who drank the water, and which government they worked for.

Re:And this is a firefox problem... (1)

Duhavid (677874) | more than 6 years ago | (#21497119)

Hopefully they picked the "good package" and not the "big gun".

Re:And this is a firefox problem... (0)

Anonymous Coward | more than 6 years ago | (#21497269)

It isn't a firefox problem, but then again, it isn't an IE problem because Internet Explorer has some buffer overflow protection which prevents further execution.
I doubt that's the case. It's more likely that the author of the article just doesn't understand the subject matter. The Quicktime player and plugin are almost certainly using the same DLL. Since the overflow occurs inside the DLL code, buffer protection in hosting application (IE) is probably not helping at all. However, the memory offsets in IE will be entirely different than the player, which would prevent the exploit. The situation for Safari should be the same. The most likely scenario is that the researcher's PoC simply isn't written for anything other than the base player. After all, that's usually the case with PoC exploits.

Because of the end appearance (4, Insightful)

Sycraft-fu (314770) | more than 6 years ago | (#21496273)

When you use QT in Firefox, it appears in the FF window itself, it in a very real way seems to be part of FF. We aren't talking about opening a file that ten spawns another app, we are talking about opening something embedded in a page itself. As such FF is the one that is going to get blamed. Also, one can argue, they should share some of the blame. If you are loading a plugin in your app, perhaps you should load it in such a way that your app can keep control over it. Seems that the other browsers do this.

So while it isn't FF's responsibility to fix the specific bug, it could be an indication of how things should be done better.

Re:And this is a firefox problem... (1)

Savage-Rabbit (308260) | more than 6 years ago | (#21496353)

Why? I mean help me understand how it simply farming the request to an external app, where the external app has the security problem, is a firefox problem?
Because Internet browsers are one of the commonest entry-points for malware. While one could argue that this strictly speaking isn't a Firefox problem, I for one would still expect a modern web browser to place as many barriers as possible between itself and my OS. The fact that it is standard practice in IE 6/7 to sandbox apps like this as an internal plugin should be enough of a motivation for the Firefox team to go the same way. Being upstaged in security features by a Microsoft product is pretty embarrassing.

Re:And this is a firefox problem... (0)

Anonymous Coward | more than 6 years ago | (#21496409)

Here is a link to a video showing how this is a firefox issue....

To see the video, make sure you are running in firefox and have selected quicktime as your default player to get the full effect.

http://someidiotwillclickme.com/firefox-quicktime-bug.mov [someidiotwillclickme.com]

Re:And this is a firefox problem... (0)

Anonymous Coward | more than 6 years ago | (#21496895)

The video won't play! I keep clicking the link over and over, but it won't play!!

Firefox? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21496429)

It's a piece of shit.

Thats why (-1)

Anonymous Coward | more than 6 years ago | (#21496457)

I don't use Firefox. I use my sandboxed IE7 on Vista. Posting anomimous because we all know which moderations I will get, but this is a true like a house. I feel more safe with IE7 sandboxed in Vista that I wil ever feel with FF.

Re:And this is a firefox problem... (0)

Anonymous Coward | more than 6 years ago | (#21496629)

Oh wow, another 'sploit in FF which allows arbitrary code execution. These things seem to come out on a daily basis.

Sure makes me glad I'm using IE7! Netscape always was garbage, and there's no reason at all to think a million more sets of eyeballs are going to polish that turd.

Re:And this is a firefox problem... (1)

Kalriath (849904) | more than 6 years ago | (#21497075)

I assume this nearly caused a fatal exception in the minds of the submitter or editor. I mean, they can't blame it on Firefox, because it's the Browser of Gods. And they can't blame it on Quicktime, because it's Apple.

They would have blamed it on IE, but they couldn't find any way to make any connection (and for the first time ever, IE just kind of sat off to the side and shrugged it's shoulders in disinterest that it isn't affected).

Re:And this is a firefox problem... (4, Funny)

thomas.galvin (551471) | more than 6 years ago | (#21497189)

(and for the first time ever, IE just kind of sat off to the side and shrugged it's shoulders in disinterest that it isn't affected).
As opposed to all of the times IE just kind of sat off to the side and shrugged it's shoulders in disinterest even though it was affected.

Re:And this is a firefox problem... (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21497359)

Simple, Firefox facilitates the Internet experience. Reffering to the bad car analogy, it's similar to Ford Explorer and GoodYear tires. Ford did not make the tires but the way they used them on Explorer made it unsafe for the passangers.

Safari (0, Flamebait)

u235meltdown (940099) | more than 6 years ago | (#21496141)

ok, so I use Safari or Opera (if they handle this better) to browse porn for a while till they patch this

Oh noes (0, Flamebait)

dedazo (737510) | more than 6 years ago | (#21496157)

I felt a great disturbance in the Force... as if millions of fanboys suddenly cried out in terror and were suddenly silenced.

That does it for me... (5, Funny)

skeftomai (1057866) | more than 6 years ago | (#21496165)

Man, I'm using IE from now on. It's WAY more secure...

Re:That does it for me... (0)

Anonymous Coward | more than 6 years ago | (#21496301)

I know you said that jokingly, but while you can argue that IE is theoretically more secure but in practice Firefox is more secure because evildoers dont write exploits for firefox. If the shoe was on the other foot here and this exploit worked for IE but not Firefox you can bet there would be a million malicious web sites out there within a few days trying to take advantage of it. But since it only works for firefox this slashdot headline is probably the last time you will hear about it.

Re:That does it for me... (1)

calebt3 (1098475) | more than 6 years ago | (#21496371)

I don't know... ~12% of the market is still quite a large number of people.

Re:That does it for me... (1)

KDR_11k (778916) | more than 6 years ago | (#21497147)

Especially when those people think nothing could possibly happen to them.

Re:That does it for me... (3, Insightful)

Homology (639438) | more than 6 years ago | (#21496417)

Man, I'm using IE from now on. It's WAY more secure...

Funny that security is not touted as much as a feature anymore compared to the early Firefox releases.

Re:That does it for me... (0, Troll)

El Lobo (994537) | more than 6 years ago | (#21496489)

Actually, using IE7 on Vista in it's DEFAULT sandboxed mode will protect you from almost every 3rd party plugin problem.... So you ARE partially right. I use it my self IE7 sandoxed on Vista and have no intentions to change to whatever...

How is this a firefox problem? (3, Insightful)

rminsk (831757) | more than 6 years ago | (#21496181)

So how is this a firefox problem? Firefox spawns off another process that has a flaw and it crashes. This process is completely outside of the memory space of firefox at this point.

Re:How is this a firefox problem? (2, Interesting)

Anonymous Coward | more than 6 years ago | (#21496469)

How do so many people have a problem understanding this? It's simple:

Non-Firefox browser: exploit fails to execute, instead protected by bounds checking

Firefox: exploit executes unchecked

How is that NOT a Firefox problem? If you don't use Firefox, you're immune. If you do, you're vulnerable. Even if the final cause is currently QuickTime, it's only a matter of time until some other plugin is found vulnerable and exploitable under Firefox but nowhere else.

Besides, Firefox and IE use different plugin models. Apparently the flaw is with Firefox's plugin model - clearly a Firefox problem.

Re:How is this a firefox problem? (1)

ByOhTek (1181381) | more than 6 years ago | (#21496819)

Firefox assumes that if a user installs a plugin, it is trustable, the others do not.

The plugin (and the app itself) are where the flaw lies. Now, firefox could sandbox its plugins, at some arbitrary performance penalty, as it's rivals do, and that would certainly fix the problem from the FireFox pov.

But the problem is still within QuickTime, and any other non-sandboxing app could be corrupted. One of the things I leanred in my computer science classes, is that if you have error checking at every level, your code will probably be secure, however, it will also be slow. In this case, the data stream is interpereted by Quicktime (by any browser), and thus the error checking should be handled by Quicktime.

Now, we could argue that firefox should implement a per-plugin sandbox option (not a bad idea really), but even with that, there would still be a problem in Quicktime, and opening a stream that exploits the vulnerability in Quicktime would still work (even with Firfox patched. Fixing Quicktime would fix both applications.

Put another way: Fix Quicktime, and every application that uses quicktime will be fixed. Fix the apps that call quicktime with sandboxing or other mechanisms, and you'll have a bunch of slower applications, and any application without the fix already applied, will still be broken - that includes Quicktime itself.

Re:How is this a firefox problem? (0)

Anonymous Coward | more than 6 years ago | (#21496873)

Some pro-firefox anti-ms mods around today. This guy explained it correctly. It is a problem with firefox, and IE does have a security model in place to stop such things. And yet he got modded flamebait. Whats up with that? I guess this is why so many people who are explaining why this is a FF problem are posting as AC.

Re:How is this a firefox problem? (2, Insightful)

Anonymous Coward | more than 6 years ago | (#21496567)

Because it is possible to have a better security model that doesnt spawn off another process.

Kind of like how on an old operating system that doesnt have seperate address spaces it isnt the OSes fault if you run a program that brings down the entire system. But there is a better OS design they could have used that would have prevented that. Same thing here, there is a better browser design that would have prevented this.

Re:How is this a firefox problem? (2, Insightful)

Anonymous Coward | more than 6 years ago | (#21496777)

Which is exactly the problem. It should not pass untrusted files to other trusted apps. It should keep it inside it's own buffer overflow protection bubble as IE does.

If this was an IE problem, you know the tagging beta would be full of 'defectivebydesign' and 'haha' remarks. But this is Firefox, so all is forgiven.

Re:How is this a firefox problem? (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21497405)

So what you are saying, fundamentally, is that it's actually Windows which is to blame as it allows passes untrusted files from the Internet to Firefox.

Shame on you Microsoft - defectivebydesign'

Re:How is this a firefox problem? (1)

thomas.galvin (551471) | more than 6 years ago | (#21497343)

So how is this a firefox problem? Firefox spawns off another process that has a flaw and it crashes. This process is completely outside of the memory space of firefox at this point.
It isn't a Firefox problem. per se. Firefox did nothing but what was asked of it: call this user-specified external program to deal with a piece of data.

Applications should be well-written and behaved, but we expect our OS to compensate for them when they are not. Browsers are evolving, becoming an operating environment unto themselves, and Firefox's competitors have taken a stance similar to the OS makers. Plug-ins should be well-written and behaved, but they'll take steps to minimize the damage caused by the ones that are not.

And that makes it Firefox's problem, because Firefox is lacking a feature that other browsers provide. This kind of plug-in security is becoming a "best practice" of sorts, and Firefox should implement this feature to stay current.

Re:How is this a firefox problem? (1)

Slashdot Parent (995749) | more than 6 years ago | (#21497347)

I dunno. IE users are not vulnerable. Firefox users are.

Explain to me why the term "firefox" doesn't belong in the vulnerability writeup when only firefox users are exposed?

Quicktime - default??? (1)

sundar_m77 (1097877) | more than 6 years ago | (#21496189)

>> if users have chosen QuickTime as the default player for multimedia formats hmm, Does anyone use quicktime as the default multimedia player?

Re:Quicktime - default??? (1)

leoxx (992) | more than 6 years ago | (#21496687)

Does anyone use the Quicktime player at all? What does it do that mplayer or VLC doesn't (besides having a terrible user interface and no support for Linux)?

What version of Firefox? Or IE? (1)

objekt (232270) | more than 6 years ago | (#21496191)

Stupid, stupid, stupid summary.

Re:What version of Firefox? Or IE? (1)

Lord Aurora (969557) | more than 6 years ago | (#21496255)

FWIW, TFA doesn't mention it either, it just mentions the version of QuickTime that is affected. It would be safe to assume, then, that all versions of FF and IE should be considered. Better safe than hacked.

Re:What version of Firefox? Or IE? (1)

Polysick (926605) | more than 6 years ago | (#21496305)

Since it's quicktime that's being exploited, it doesn't matter which version. It's because of the way IE and Safari have plugins for the quicktime files so the browsers just crash instead. FTFA they say that opening an email link or attachment would do the same thing.

Re:What version of Firefox? Or IE? (3, Informative)

sm62704 (957197) | more than 6 years ago | (#21496613)

Better safe than hacked.

No, better safe than CRACKED. When someone comes up with a hack for this, the problem is fixed.

Don't you know where you are? This is slashdot, not the wall street journal. Hacking is when you turn your transistor radio into a fuzzbox or your lawnmower into a robot. Hacking is NOT "breaking into a computer system" you silly normal person.

-mcgrew

Re:What version of Firefox? Or IE? (0)

Anonymous Coward | more than 6 years ago | (#21497337)

I think you're about ten years too late to reverse this change. Sorry.

mild oops (1)

objekt (232270) | more than 6 years ago | (#21496265)

Summary mentions IE 6/7 but what about Mac? No IE 6/7 there.
I use Safari for most browsing and I just upgraded my Firefox to 2.0.0.10

Re:What version of Firefox? Or IE? (1)

calebt3 (1098475) | more than 6 years ago | (#21496289)

This does not happen in IE. And it seems like this problem spans all versions of Firefox that open Quicktime as a separate process rather than as an internal plugin.

Re:What version of Firefox? Or IE? (1)

whitehatlurker (867714) | more than 6 years ago | (#21497397)

I agree with your assesment of the summary.

The CERT Vuln. Note [cert.org] gives somewhat better information and workarounds than I have seen elsewhere. (Some places say, "just block port 554 and you're safe." Nope.)

I would like to note that while the exploit released doesn't work on IE, Symantec notes that, with work, a new exploit could target IE. (And likely other browsers. As people have noted elsewhere - this isn't really a browser issue.)

Does that mean... (0)

gQuigs (913879) | more than 6 years ago | (#21496193)

IE will crash? And Firefox won't, but quicktime will? I think that's what I would prefer. It's not Firefox's responsibility to secure all external programs on the computer. Even if they do have plug-ins in Firefox.

Re:Does that mean... (1)

jerw134 (409531) | more than 6 years ago | (#21497021)

IE will crash, but your computer will be safe. Firefox won't crash, QuickTime will, and your computer will be owned. Is that really what you prefer?

Re:Does that mean... (1)

hcmtnbiker (925661) | more than 6 years ago | (#21497169)

IE will crash? And Firefox won't, but quicktime will? I think that's what I would prefer. It's not Firefox's responsibility to secure all external programs on the computer.

Simply put... NO. IE will not crash, the plug-in however will be unloaded for that instance. This isn't just about crashing the browser either, its a buffer overflow error and the article implies you can send some payload to the machine to be executed. But unless your running FF as root that really shouldn't be a big a problem.

Jews are the Enemy (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21496207)

The Jew kills and steals for his own benefit.

Beware the Jew.

Re:Jews are the Enemy (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21497355)

Yeah and Hitler helped blind children. Some people... bloody idiots.

Again? (0)

Anonymous Coward | more than 6 years ago | (#21496215)

Wasn't this fixed just few months ago? IIRC there was some quicktime flaw in FF a while ago and it got fixed. Or is this new bug?

Re:Again? (0)

Anonymous Coward | more than 6 years ago | (#21496251)

Die in a fire, fucktard. What are you doing posting if you have no clue what you're saying?

Re:Again? (0)

Anonymous Coward | more than 6 years ago | (#21496379)

What's your problem? Go back to your parent's basement and grow up.

Apple software not secure. (4, Insightful)

Anonymous Coward | more than 6 years ago | (#21496231)

So how many of these examples do we need to demonstrate that Apple software is not secure, and is only less exploited because it's less popular?

Re:Apple software not secure. (0)

Bryansix (761547) | more than 6 years ago | (#21496293)

So how many of these examples do we need to demonstrate that Apple software is not secure, and is only less exploited because it's less popular?
Quoted for Truth.

Re:Apple software not secure. (1, Insightful)

Brainix (748988) | more than 6 years ago | (#21496889)

Really? Where are the gozillion iTunes exploits? Or is iTunes "less popular" too?

Re:Apple software not secure. (2, Insightful)

Anonymous Coward | more than 6 years ago | (#21497301)

Its more that itunes isnt opening untrusted files and connecting to untrusted servers. I guess you could consider mp3s to be untrusted, but most of them come from apple's servers so its not like you are downloading them from some random guy in russia.

Re:Apple software not secure. (1, Informative)

Anonymous Coward | more than 6 years ago | (#21497409)

Don't want to feed the troll but your logic is complete garbage. In recent memory, I can't recall hearing about a significant amount of security exploits for quicktime - certainly not more than Windows Media Player. Let's also ignore how long it takes a software vendor to fix the original bug. But yes - let's take 1 quicktime flaw to generalize that Apple products are insecure.

If Just A Simple Buffer Overflow (1)

Nom du Keyboard (633989) | more than 6 years ago | (#21496233)

If it's just a simple buffer overflow, then shouldn't execute disable (NX bit for AMD, XD for stupid Intel who won't follow established standards) bit catch it for XP SP2 and other systems?

MOD PARENT UP (1)

Bob-taro (996889) | more than 6 years ago | (#21497403)

If it's just a simple buffer overflow, then shouldn't execute disable (NX bit for AMD, XD for stupid Intel who won't follow established standards) bit catch it for XP SP2 and other systems?

Good question. I was thinking the same thing. Someone mod parent up ... and can anyone provide an answer?

QuickTime == Java (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21496239)

QuickTime is about as useful as java. A 'quick' 125Kb download, to install about 50Mb of crap on my system, and a damn useless
taskbar icon, using valuable desktop space, just to tell me, yay! you have QuickTime installed!

I make it a habit to simply not view quicktime content, it's usually not worth my 'time' quick or not.

Troll -1 (4, Funny)

dgr73 (1055610) | more than 6 years ago | (#21496245)

"Quicktime bug!?! Oh sweet Joseph of Arimathea!!!! Quick, inform the users.. YES BOTH OF THEM!"

MOD Parent Funnt (2, Insightful)

Bryansix (761547) | more than 6 years ago | (#21496331)

Cause that is what his post is.

MOD Parent Stupif (0)

Anonymous Coward | more than 6 years ago | (#21496609)

Because that is what his post is.

Re:MOD Parent Stupif (1)

sm62704 (957197) | more than 6 years ago | (#21496655)

Yes, but stupid is very often funny, as the post was.

Re:Troll -1 (1)

steelfood (895457) | more than 6 years ago | (#21496781)

The interesting thing is, while Quicktime might not have two users, as an embedded player for online media, it has largely been supplanted as the defacto online media player and format by flash and flash videos. It seems while Quicktime's use might not be declining, it hasn't been gaining either even while online videos grow ever-more popular. The same could be said for WMV.

Not that it matters, as all it takes is one bad site with an embedded malicious video...

Safety through laziness. (0, Troll)

backbyter (896397) | more than 6 years ago | (#21496267)

QuickTime?

Haven't installed that in several years.

Re:Safety through laziness. (2, Insightful)

njfuzzy (734116) | more than 6 years ago | (#21496427)

If you have a Mac, then you have QuickTime. If you have iTunes, then you have QuickTime. That may not apply to you, but its fair to say it covers a huge chunk of marketplace overall. (I believe people who download Safari 3 Beta for Windows, and Bonjour for Windows, also have QuickTime by default, but they are bound to be a very small group.)

Re:Safety through laziness. (1)

backbyter (896397) | more than 6 years ago | (#21496747)

No Mac; Didn't bother to learn how to use that one button mouse.

No iTunes; Didn't bother to expend the energy to have my favorite music follow me where ever I go. (As a charter member of the "Ole Fuddy Duddy" group, I kinda like the quiet.)

No Safari, and I couldn't tell you what Bonjour was.

I'm pretty sure QuickTime is not on any machine I own. Unless that OLPC I ordered for my niece has QT installed. I'd check, but you know, that would mean I'd have to open the package, start the computer, etc... :)

security through instability (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21496357)

"while IE loads the QuickTime Player as an internal plugin and when the overflow occurs, standard buffer-overflow protection is triggered, shutting down the affected processes before any damage can occur."

Translation: IE crashes like it always does, and thus your system is safe!

Re:security through instability (1)

fluffy99 (870997) | more than 6 years ago | (#21496839)

What like FireFox doesn't crash and burn anytime a plug-in misbehaves? FF is worse than IE in that regard, especially with plugins like Adobe Acrobat reader. Isn't the FF fanclub party line that instabilities and crashes are caused by misbehaving extensions and plug-ins.

The real shame! (1, Troll)

Kylere (846597) | more than 6 years ago | (#21496485)

Anyone smart enough to use Firefox should also be smart enough not to use Quicktime. Quicktime is an excellent example of poorly written software, if it were not for complete trash like WMP no one would use it. Everyone sane uses VLC anyways.

Re:The real shame! (1)

phoebusQ (539940) | more than 6 years ago | (#21496543)

Many of you seem to be under the strange impression that QuickTime itself is a media player.

Firefox 3b? (1)

RSA7474 (1163263) | more than 6 years ago | (#21496539)

Does Firefox 3 handle Quicktime and an internal plug-in? I think it does now..

Quick fix: Download VLC player and it use as the default media player for Firefox..

Can someone explain the top of this Slashdot page? (0, Offtopic)

Seumas (6865) | more than 6 years ago | (#21496619)

Top right, in the links section for this page.

"Compare prices for Mozilla".

Uh . . . .

Design for maliciousness (3, Insightful)

PhxBlue (562201) | more than 6 years ago | (#21496653)

Software should be pessimistic. Design the code to handle incoming requests as potentially malicious, and you'll never be disappointed.

Phew (2, Insightful)

lluBdeR (466879) | more than 6 years ago | (#21496729)

Man am I glad my system seems to deal with this problem proactively: The Quicktime plugin crashes anything that contains it almost as soon as it's drawn!

Thank you Apple for protecting me from, well, Apple!

Alternative? (2)

rickatnight11 (818463) | more than 6 years ago | (#21496785)

Any word on how this affects Quicktime Alternative or QTLite as they are based on the Quicktime code?

The reasone why it is Firefox's problem... (1)

NavyTim (1060580) | more than 6 years ago | (#21497033)

is because they notified Apple and Steve Jobs said it was. Period. Steve has spoken.

A bigger problem (5, Insightful)

0123456 (636235) | more than 6 years ago | (#21497073)

Is that there's apparently no way to simply disable a plugin in Firefox. In order to completely disable Quacktime I've had to go through various plugin directories physically deleting the files, and next time I have to update it all the bloody plugins will be back again.

Why can't about:plugins just have a 'disable' box on each plugin? Or, better yet, a standard preferences menu list which just lets me disable them there and then?

Poor Dialog (1)

phantomcircuit (938963) | more than 6 years ago | (#21497255)

I just went to change the way that files are handled by Firefox as a work around.

The dialog requires that each file type be individually changed.

This would seem to be a VERY poor design.

Symantec is wrong... (4, Informative)

Anonymous Coward | more than 6 years ago | (#21497321)

http://erratasec.blogspot.com/2007/11/apple-quicktime-rtsp-update.html [blogspot.com]
http://erratasec.blogspot.com/2007/11/new-rtsp-quicktime-flaw-affects-both.html [blogspot.com]

Standard buffer overflow protection doesn't work, Symantec was wrong. It seems that parts of Quicktime are not enabled for ASLR making these attacks possible.

Website's fault (2, Insightful)

nbucking (872813) | more than 6 years ago | (#21497345)

This problem's principle fault lies with Apple. But it seems that they are sitting on their asses because it seems to be a problem that has been around for awhile. So those websites that use quicktime should use flash player, media player, or realplayer. Heck I have gotten video lan to take care of them all but those who do not want the trouble should blame the stupid websites. As far as I am concerned about firefox not handling apple's screwup as well as the other browsers it is scary. Yet if quicktime is broken then even if you use the other browsers then it simply does not matter, you still have DoS.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?