A researcher has demonstrated how a security bug in Apple's QuickTime media player that was disclosed a year ago can cause Firefox to install backdoors and other malware on a fully patched computer. He said both Windows and Mac systems are vulnerable. The researcher, Petko D. Petkov, on Wednesday posted proof-of-concept code …
For the attack to work, users must be logged in as an administrator.
Which is exactly why you only login to root for very special and limited circumstances...
Re: For the attack to work...
Yeah, and how many Windows users are running as administrator, since the first account created is basically root?
Score one for the Linux camp, we don't even have QuickTime.
Regardless of some comments
I have made in the past, I'm really not in the Windows, Open Source, or *inx camp. I just want tools that make business as easy as possible.
However, I do have to say early predictions about market dominance and (in)security are proving themselves true. As more people adopt non Windows products, more bad guys are going to target them. Hacking anything but MS has traditionally been a waste of time, but as other products start to acquire market share they become viable targets.
IT security for the masses is a joke. Considering that people have been trying for thousands of years to secure physical assets, and still fail, it'll be a really, really, long time before it's "absolutely safe" to be online.
Guess it's the kind of risk, we have to take, to keep a dog-ugly POS operating system like Linux away from our computers...
Quicktime IS malware
Anything that installs and associates itself, then demands money to enable features you previously had is malware.
mac and windows?
Any windows users stupid enough to be using quicktime as their primary media player deserve everything they get.
Quicktime doesn't even pretend to try and integrate into windows properly. It gives a nice mac user interface using mac interface conventions, which is infuriating if you are not using a Mac because they are completely different to all other applications.
OS X' default user account privileges are admin-level, actually.
No problem for macs
"I see no reason why it shouldn't work on Mac" a simple test of the proof of concept shows that it does not work on a mac.
For the attack to work, users must be logged in as an administrator....
Unfortunately, for Firefox to work, users must be logged in as an administrator.
Yet another Mozilla security hole due to poor input validation.... presumably this one will somehow be blamed on IE too.
Re: Regardless of some comments
The "if more people used Linux/Unix there would be more exploits for it" argument is bogus. It's a variant of the "security through obscurity" argument, and is possibly a result of a too narrow-sighted view of IT as a whole.
The vast majority of Internet servers run Unix, yet Windows boxes remain the softest targets. Not because Unix machines can't be cracked (historically, most famous cracks were against Unix, which used to be perceived as having weak security compared to the competition!) or aren't attractive targets - in fact, cracked Unix hosts are highly prized among black hats because one can do more with them than with the average Windows PC.
The fact that vast hordes of Windows desktops can be trivially taken over by random script kiddies has litle to do with their market dominance, and the fact that this is harder to do with the various *nix flavours has little to do with their lack of presense in the desktop field.
Firefox doesn't need admin
"Unfortunately, for Firefox to work, users must be logged in as an administrator."
That is completely untrue. Firefox works fine under a non-admin account. I'm using it on Vista under UAC right now and I have also used it on XP under a non-admin account.
"admin-level" in OSX isn't the same as root. AFAICT, you get sudo privilege and access to files/folders in the admin group so you could do some damage but it is limited.
Obviously, more damage can be done once you have responded to a prompt for your password but who would be dumb enough to do that? Oh, wait...