Security researcher Petko D. Petkov has released details on a year-old vulnerability in Apple's QuickTime media player that can cause Firefox to install backdoors and other malware on a fully patched computer.
"On its own, the QuickTime issue is less critical. [...]Firefox is not vulnerable either. But when put together, they create a very dangerous combination," said Petkov.
According to Petkov, the current version of QuickTime contains a flaw in its Media Link function, which enables the program to parse up to 60 different file types with a compatible extension. However, because it fails to sanitize the XML content, malicious code can be pasted into media files and executed in JavaScript form. The exploit can reportedly bypass 'chrome' privileges in Firefox and its built-in security features. The researcher posted proof-of-concept code that shows how the exploit can be used to run privileged code on an unsuspecting user's computer.
Mozilla security chief Window Snyder has confirmed this is a "very serious issue" for Firefox users and said it is working with Apple on a fix, but until that happens users are advised to disable the QuickTime plug-in.