I'm not fully up to speed on this problem yet, and I'll post more as soon as I know, but I've read several descriptions now of a flaw in Apple's QuickTime and how it interacts with Java that could be exploited to compromise Firefox, Safari, and IE 6 and 7 users (and possibly others).
It sounds like you can protect yourself by disabling Java. In Firefox you can accomplish this by going into the Firefox Preferences/Options and unchecking the "Enable Java" item in the Content panel.
Like I said, I'm still getting up to speed on this and all of the details don't yet seem available, but this looks like it is clearly a flaw in Apple's QuickTime so I presume disabling or removing QuickTime would also solve the problem.
More as I learn it.
update From NIST.org, (not the US Government's NIST,)
The Quicktime bug seems to be passed to it by a Java capable web browser using the Quicktime for Java interface (QT4J). Any web browser that supports Java will become a vulnerability vector if Quicktime is installed. If Java support is disabled in the browser it can no longer be used for an attack.
So, if you're using a browser that has both Java and Quicktime, now would probably be a good time to disable or remove those plugins.
update2: Joris, over at cNet is reporting mostly the same information but it's a confirmation from TippingPoint that this is indeed an Apple flaw, in QuickTime, that can be exploited on Mac or Windows. The TippingPoint spokesperson said, "We have now verified that this issue affects both Windows and Mac operating systems, including Windows Vista through Internet Explorer."
Posted by: pooya | April 25, 2007 2:52 PM
Someone needs to tell Apple and Sun to fix their plugins.
Posted by: Omega X | April 25, 2007 3:10 PM
I obviously don't know the extent of this bug, but if it can run arbitrary code if you go on to a website that takes advantage of this vulnerability then that's not good. People don't update or mess with their plug-ins very often, even if they do pay attention to security updates.
Posted by: Damian | April 25, 2007 4:08 PM
pooya:
You can see the path to the plugins being loaded by going to about:config and changing plugin.expose_full_path to true. There's also a plugin.scan.Quicktime - I think it's the minimum version number of found QuickTime plugins to use if they're not in the normal plugin directories. Setting that to an arbitrary high value might help.
For Windows at least (I don't know about other platforms), going to the QuickTime control panel, and in the browser tab unchecking mime types might help. I do not know for sure, though, since I do not actually know what the vulnerability is (nor am I likely to understand it...)
Posted by: Mook | April 25, 2007 10:44 PM
I think Firefox should blacklist the Java + Quicktime combination in the next security release and just deny loading the quicktime plugin if Java is enabled.
Probably you could report this at first start after the firefox update and give the users the option to leave Quicktime disabled or to go the download page for the quicktime plugin (if an update with the bug fixed is released).
Of course it is debatable whether Mozilla should get into this area, but I think it's Firefox' "responsibility" to help users browse the web safely and this sounds pretty serious.
Posted by: Bram van Leur | April 26, 2007 12:26 AM
@Mook. Thanks. Just checked that out and that's what I wanted. I wonder why it is not on but default, cause I am sure anyone who goes to about:plugins wants all the information about plugins.
Posted by: pooya | April 29, 2007 11:33 AM
Apple just released QuickTime 7.1.6 to fix a flaw in QuickTime for Java -- not sure if it's this specific issue, but it is a serious one anyway:
QuickTime 7.1.6 delivers numerous bug fixes, addresses a critical security issue with QuickTime for Java and includes support for:
* Final Cut Studio 2
* Timecode and closed captioning display in QuickTime Player
This update is recommended for all QuickTime 7 users.
Since you recommended the removal of these plug-ins in this post, you should update your readers that this update will (hopefully) allow them to restore these plug-ins.
Posted by: QuickFire | May 2, 2007 5:23 AM
Is there anyway to see the path to plugin DLLs in about:plugins? I deleted files I didn't need from Firefox plugins dir but they are still loading...