Wednesday, December 13, 2006

Social networks vulnerable to QuickTime security flaws.

I guess everyone knows about the recent QuickTime worm that affected a lot of myspace users. And Apple has not yet released a fix for it but instead just gave a fix for Myspace users and also for Internet Explorer users. This means anyone using any other browser and any other other social networking site using QuickTime is still vulnerable to these kind of attacks.

According to the F-secure blog QuickTime fails to warn the users before loading and executing javascript from external resources – two things that all similar applications are expected to do. For example, Flash allows embedded scripts, but it warns the user when a flash application tries to access an external resource.

The HREF track flaw which was the one that was used to attack the myspace users, it seems is not the only flaw with QuickTime. QuickTime is vulnerable to another similar flaw and it still remains unfixed.

According to the gnucitizen blog the basic problem is that because of its flexibility QuickTime seems to allow execution of malicious content in a form of JavaScript from media files such as mp3, mp4, m4a and everything else that is supported. In the article Backdooring MP3Files the writer talks about the QuickTime vulnerability which is different from the recent HREF track vulnerability.

Apple claims these flaws to be a feature of QuickTime while F-secure begs to differ on that and calls it a vulnerability and recommends that websites should block Apple QuickTime content completely until a patch is available from Apple for both vulnerabilities.