Mozilla Patches QuickTime/Firefox Flaw

Mozilla has released a patch today for its popular Firefox webbrowser which ditches the ability to run arbitrary script from the Firefox command line, a quick fix for a year-old QuickTime bug that could be used to take over user systems. Security researcher Petko D. Petkov on Sept. 12 posted proof-of-concept code showing that the low-risk, year-old QuickTime bug could easily be turned into a high-risk attack on Firefox, Internet Explorer, Skype and other programs. Petkov—aka pdp—showed how QuickTime media formats can be used to get into Firefox, leading to full browser compromise and perhaps even to compromise of the underlying operating system.

Mozilla said that its fix for MFSA 2007-23 was supposed to stop this type of attack but that QuickTime calls the browser in an unexpected way that bypasses that fix. So, to protect Firefox users, it's stripping out the ability to run arbitrary script from the command line entirely. Don't worry, though; until Apple has fixed the issue in QuickTime, QuickTime Media-link files can still be used to annoy users, Mozilla said. "Other command-line options remain, ... and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime," the open-source foundation said in its post.

View: Full Story on eWeek

Report a problem with article
Previous Story

EU Says It Has Money to Salvage Galileo

Next Story

Qualcomm Under ITC Scrutiny...Again

8 Comments

Commenting is disabled on this article.

It was not a firefox flaw. It was an apple's quicktime flaw. Firefox just made some changes so users using Firefox wouldn't be infected. Quicktime still has the flaw and can still be exploited in IE/Opera and whatever else is out there.

supernova_00 said,
It was not a firefox flaw. It was an apple's quicktime flaw. Firefox just made some changes so users using Firefox wouldn't be infected. Quicktime still has the flaw and can still be exploited in IE/Opera and whatever else is out there.

From what I read, that's not true. The exploit as mentioned by pdp only affects users with Firefox installed via its -chrome command line option.

Users who have only IE or Opera, etc. will not be affected by this particular flaw in QT.

So, I would categorize it as a QT bug which exploited a Firefox "feature".

What... No ones blaming IE for this... what has the world come to :)

This is a joke by the way so dont go on a rampage in flaming etc.

atleast the security is fixed... still sucks though about potential annoyances from popups.

whats the deal with quicktime alternative, are they still making this or not?

cause i have the latest version of quicktime alternative installed.