Quicktime to Firefox issue

Window Snyder

Issue

Petko D. Petkov identified an issue in Quicktime that allows an attacker to execute arbitrary code.

Impact

If Firefox is the default browser when a user plays a malicious media file handled by Quicktime, an attacker can use a vulnerability in Quicktime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in Quicktime. So far this is only reproducible on Windows.

Petkov provided proof of concept code that may be easily converted into an exploit, so users should consider this a very serious issue.

Status

Mozilla is working with Apple to keep our users safe and we are also investigating ways to mitigate this more broadly in Firefox.

You can follow our work in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=395942

Credit

Petko D. Petkov discovered this issue and posted details here.