No other changes are mentioned in the release notes.
The problem is that QuickTime files can contain a command to launch the default browser. This can be exploited by including Firefox parameters to cause script commands to be executed and run with user privileges. If the user has administrative privileges, this could be used to instal malware or carry out other malicious activities.
The cure has been to remove Firefox's ability to run command line scripts.
"[Version 2.0.0.7] will protect Firefox users from the public critical security vulnerability until a patch is available from Apple," said Window Snyder, Mozilla's head of security strategy. "I would like to personally thank the individuals at Apple who worked with us and the engineers at Mozilla that work so hard to get security updates out so quickly."
The fix in Firefox 2.0.0.5 for a vulnerability created by the interaction of Firefox and Internet Explorer was originally thought to protect against an entire class of vulnerabilities, "but QuickTime calls the browser in an unexpected way that bypasses that fix," according to a Mozilla Foundation advisory. Furthermore, this particular issue is not caught by changes introduced to QuickTime 7.1.5 to prevent such exploits.
While Firefox 2.0.0.7 has been released for Windows, Mac OS X and Linux, it appears that the vulnerability it addresses only affects Windows.
The current version of QuickTime is 7.2.
Firefox updated for QuickTime vulnerability
Firefox 2.0.0.7 has been released to protect against a "critical" vulnerability exploitable through QuickTime files.
RECRUITMENT & RETENTION REPORT 2013
HIRE OR FIRE? BUY OR BUILD2013 is well underway and Australian companies need to know whether they should invest in IT skills training or pay a premium for the people they need.
If you want to know which choices are being made in your sector, what skills are hard to find, which sectors intend to hire or fire and where the IT spend is going, this free report is must have.
Stephen Withers
Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences, a PhD in Industrial and Business Studies, and is a senior member of the Australian Computer Society.
