May 03 2007
This Quicktime bug has the potential to be a nasty, little cross-browser exploit. If you haven’t already turned off Java in your browser, you should stop reading and do it now. Even if you’ve updated to the latest and greatest Quicktime and Java patchs, you might want to leave Java off in your browser. I’m running Firefox with Java off on both my main systems, and I’m running NoScript on my Mac Book Pro, soon to be installed on the Windows desktop. Yes, no Java will interfere with some sites, but not as many as you’d think.
Thomas does an excellent job of explaining how this bug affects your system something close to plain English. It’s more than a little bit scary that he can demonstrate how the bug in less than five lines of code. If he can show it that quickly, I have to imagine it can’t be too hard for a talented coder to work up a more useful exploit for the vulnerability, if they haven’t already. Making the exploit cross-platform will be a lot harder, but given a little bit of time, I’m pretty sure it will happen.