Firefox updated for QuickTime vulnerability

Stephen Withers
Thursday, 20 September 2007 02:19

Business IT - Open Source

Firefox 2.0.0.7 has been released to protect against a "critical" vulnerability exploitable through QuickTime files.

No other changes are mentioned in the release notes.

The problem is that QuickTime files can contain a command to launch the default browser. This can be exploited by including Firefox parameters to cause script commands to be executed and run with user privileges. If the user has administrative privileges, this could be used to instal malware or carry out other malicious activities.

The cure has been to remove Firefox's ability to run command line scripts.

"[Version 2.0.0.7] will protect Firefox users from the public critical security vulnerability until a patch is available from Apple," said Window Snyder, Mozilla's head of security strategy. "I would like to personally thank the individuals at Apple who worked with us and the engineers at Mozilla that work so hard to get security updates out so quickly."

The fix in Firefox 2.0.0.5 for a vulnerability created by the interaction of Firefox and Internet Explorer was originally thought to protect against an entire class of vulnerabilities, "but QuickTime calls the browser in an unexpected way that bypasses that fix," according to a Mozilla Foundation advisory. Furthermore, this particular issue is not caught by changes introduced to QuickTime 7.1.5 to prevent such exploits.

While Firefox 2.0.0.7 has been released for Windows, Mac OS X and Linux, it appears that the vulnerability it addresses only affects Windows.

The current version of QuickTime is 7.2.