informa
Commentary

QuickTime Patch Procrastination Poses Firefox Problems

Said it before, say it again: Bad enough to have flawed and vulnerable software out there, but probably unavoidable as code gets more and more complex. Completely unavoidable and equally inexcusable is letting a known vulnerability languish for any amount of time, much less a full year. Yet that's exactly what Apple's done with a QuickTime media player security hole that's been known of for at least that long.
Said it before, say it again: Bad enough to have flawed and vulnerable software out there, but probably unavoidable as code gets more and more complex. Completely unavoidable and equally inexcusable is letting a known vulnerability languish for any amount of time, much less a full year. Yet that's exactly what Apple's done with a QuickTime media player security hole that's been known of for at least that long.The QuickTime media player vulnerability puts Firefox browser users at risk by way of a a backdoor entry path for hackers masking their malice as QuickTime media files. Click the file wile browsing via Firefox and the crooked code cuts loose, compromising your computer.

The vulnerability was one of two identified by exploit expert Petko D. Petkov in September, 2006. Apple patched one, let the other slide.

Petkov's year's worth of frustration led him to post proof-of-concept code showing just how problematic the vulnerability can be. That code, some feel, will get turned into actual exploits quickly.

Irony is that earlier this year Apple got high marks for fast-fixing a QuickTime vulnerability that, admittedly, was higher risk with a much broader potential target base.

That's not the point -- or maybe it is. The size of the target base is a consideration factor to a company that has to devote resources to patching a hole. Shouldn't be, but it is.

But to anyone running Firefox with QuickTime as its default media player, the target base is a party of one: themselves. Patch this problem, Apple!

Mozilla is making noise about the seriousness of the Firefox/QuickTime problem, which so far appears to affect only Firefox for Windows.

Mozilla's also got a tech-blog on the vulnerability here.

Recommended Reading: