Mozilla Patches QuickTime/Firefox Flaw

Advertisement (Why?)

Mozilla has released a patch today for its popular Firefox webbrowser which ditches the ability to run arbitrary script from the Firefox command line, a quick fix for a year-old QuickTime bug that could be used to take over user systems. Security researcher Petko D. Petkov on Sept. 12 posted proof-of-concept code showing that the low-risk, year-old QuickTime bug could easily be turned into a high-risk attack on Firefox, Internet Explorer, Skype and other programs. Petkov—aka pdp—showed how QuickTime media formats can be used to get into Firefox, leading to full browser compromise and perhaps even to compromise of the underlying operating system.

Mozilla said that its fix for MFSA 2007-23 was supposed to stop this type of attack but that QuickTime calls the browser in an unexpected way that bypasses that fix. So, to protect Firefox users, it's stripping out the ability to run arbitrary script from the command line entirely. Don't worry, though; until Apple has fixed the issue in QuickTime, QuickTime Media-link files can still be used to annoy users, Mozilla said. "Other command-line options remain, … and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime," the open-source foundation said in its post.

View: Full Story on eWeek

#1 ThaCrip on 19 Sep 2007 - 21:46

atleast the security is fixed... still sucks though about potential annoyances from popups.

whats the deal with quicktime alternative, are they still making this or not?

cause i have the latest version of quicktime alternative installed.

#2 YaZoR on 19 Sep 2007 - 23:11

Apple suck.

Especially Granny Smiths.

Golden Delicious FTW!!!

(1 reply) #3 JohnBfromMemphis on 19 Sep 2007 - 23:11

It's rather odd that quicktime alternative is based on actual quicktime isn't it?

#3.1 NightmarE D on 19 Sep 2007 - 23:24

It uses certain files from the actual Quicktime player while removing all the other stuff you don't need.

#4 Stup0t on 20 Sep 2007 - 08:00

What... No ones blaming IE for this... what has the world come to

This is a joke by the way

so dont go on a rampage in flaming etc.

#5 Azmodan on 20 Sep 2007 - 13:10

Ok... Fx 2.0.0.7 shows up on the Software section yesterday, news regarding the fix shows up today. WTF?

(1 reply) #6 supernova_00 on 20 Sep 2007 - 14:42

It was not a firefox flaw. It was an apple's quicktime flaw. Firefox just made some changes so users using Firefox wouldn't be infected. Quicktime still has the flaw and can still be exploited in IE/Opera and whatever else is out there.

#6.1 earthsound on 21 Sep 2007 - 14:36

Quote - (supernova_00 said @ #6)

From what I read, that's not true. The exploit as mentioned by pdp only affects users with Firefox installed via its -chrome command line option.

Users who have only IE or Opera, etc. will not be affected by this particular flaw in QT.

So, I would categorize it as a QT bug which exploited a Firefox "feature".

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Neowin.net