Apple’s Quicktime and Microsoft Windows Media Player could continue to be ways of infection regardless of what the default internet browser a user has. This is due to two different exploits which have been recently found by security experts.
Even though Mozilla has patched Firefox, it’s users are still vulnerable to the QuickTime flaw, as Apple has failed to fully patch it.
Due to the QuickTime vulnerability, hackers are allowed to run scripting commands with full user rights. This makes it possible for a hacker to gain remote control over a user‘s computer and install malicious software, as well as to steal personal details.
"The QuickTime exploit fits well into the Web 2.0 environment. It fools surfers into clicking on a link to introduce the code. Many Windows users do not know that they are exposed. If they download iTunes, the software automatically places a copy of QuickTime on the computer to play the Apple music files," Paul Henry of Secure Computing, told TechNewsWorld.
A year ago, it has been discovered, that QuickTime link files can have script code that could be executed by a browser in an unprivileged Internet security zone. This vulnerability would only allow cross-site scripting attacks. This year, however, it has been discovered that the script code could well be executed at the highest privilleges, which means that anything executable can be run locally.
"Given the prominence of Web 2.0 applications, any user can now easily insert a URL in to a social Web site or blog. It is highly likely that this exploit will gain in prominence," Henry said. "The risk of a casual user downloading a rootkit and becoming part of a spam botnet, or perhaps becoming a victim of identity theft with the downloading of a keylogger, is greatly increased with the latest version of this exploit."
"Apple ignored warnings about this last year and allowed scripting without user intervention. Somewhere along the line, everyone at Apple missed the boat on this vulnerability. They had no level of understanding about how widespread this could become," Randy Abrams of ESET, told TechNewsWorld.
Apple‘s actions have always been insidious. They only release bug fixes, but fail to say what bugs precisely are being fixed.
"Apple is about 12 years behind Microsoft in patch controls. Apple says it has patched the original vulnerability, but there is no proof of this," said Abrams.
The WMP vulnerability exists due to the fact that it‘s metafiles such as .asx, .wvx and others have the command line „HTMLview“, and these websites are opened using Internet Explorer, regardless of whether it is the default browser, thus making the user‘s system vulnerable to all of IE flaws.
According to Henry, who tried the Proof-of-Concept code himself, the vulnerability allows hackers to phish for users‘ credentials, but only in a Windows environment.
A way has been found for hackers to get administrative rights using a combination of an attack vector and Firefox.
This vulnerability can be taken care of by updating WMP to version 10 or 11, or to patch Internet Explorer, the latter being a less effective way.