Month of Apple Bugs - Day 3

03 Jan 2007, 22:31 PST

Today's Fix

The third issue from the Month of Apple Bugs takes advantage of the interaction between web browsers and the QuickTime Plugin, leading to a cross-site scripting vulnerability.

The vulnerability allows an embedded quicktime movie, located on an external site (eg, an ad server), to execute javascript in the context of the enclosing page. Please note that the current 10.4.8 version of Safari does not appear to execute JavaScript from a QuickTime HREFTrack, and thus does not appear to be susceptible to this attack.

Today's fix involves patching the QuickTime Plugin's rNPN_GetURL() function, which is responsible for asking the browser to load a page. The patch replaces any javascript: URL requests with a javascript alert box that reads: "[MOAB] Blocked a QuickTime JavaScript Call. See for more information."

A huge thanks to both Alexander Strange and Rosyna of Unsanity for doing most of the work to track down the issue. I also owe a big favor to my friend William Carrel, who was kind enough to do a code review of the latest changes, and set up a new MOAB Fixes Google Group.

I'd also like to thank all those who have written kind e-mails, or sent other well wishes. It's very much appreciated.

You can download the source, or a pre-built binary. As always, You'll need to install Application Enhancer to use this -- once it's installed, simply double-click on the Moab bundle to install the patch.

News and Updates

As I mentioned above, William Carrel has set up a MOAB Fixes Google Group, where I will be coordinating bug fixes for the rest of the month.

In addition to the above fix, I've also updated the fix for the QuickTime RTSP issue. I fixed a bug in the argument handling (I miscounted the total number of arguments pushed on the stack), and I've added extra seat belts to ensure that the fix will automatically disable itself upon a new release of the QuickTime Streaming Component.

Cross-zone Vulnerability Update

The astutely observant Aviv Raff noted that the QuickTime vulnerability permits Cross-Zone Scripting, which could allow QuickTime movies to access local reference protocol handlers, and potentially permit remote code execution, in addition to the cross-site scripting aspect we've already patched. Just to be safe, I'll be issuing an update later today with a more restrictive (whitelist-based) protocol filter.