Firefox Gets QuickTime Fix
Page 1 of 1
Mozilla has mobilized its Firefox developers and come up with a patched version of its open source browser to protect against a zero day exploit involving Apple's QuickTime.
Firefox 18.104.22.168 is expected to be officially released later today and will plug the flaw. On Sept. 12 security researcher Petko D. Petkov reported that Apple QuickTime media formats can hack into Firefox. When launching QuickTime from Firefox a remote hacker could have potentially launched arbitrary script commands with the full privileges of the user.
"The result of this vulnerability can lead to full compromise of the browser and maybe even the underlying operating system," Petkov warned in his advisory on the issue.
At the time Petkov issued his warning, Mozilla the same day labeled the bug as #395942 in its bugzilla bug tracking system and immediately began the process of coming up with a fix. Mozilla developer Gavin Sharp wrote in a bugzilla entry that the QuickTime plug-in should be fixed to not allow launching the default browser with arbitrary parameters.
Apparently Mozilla had attempted to prevent this type of vulnerability as recently as the Firefox 22.214.171.124 release with its fix for the Remote code execution by launching Firefox from Internet Explorer bug, also known as MFSA 2007-23.
"The fix for MFSA 2007-23 was intended to prevent this type of attack, but QuickTime calls the browser in an unexpected way that bypasses that fix," Mozilla advisory on the Quick Time error notes.
"To protect Firefox users from this problem we have now eliminated the ability to run arbitrary script from the command-line. Other command-line options remain, however, and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime."
Mozilla alleges that the recently updated Apple QuickTime 7.1.5 does not prevent the issue. Though the fix is in Firefox, Mozilla Chief Security Officer Window Snyder blogged last week that Mozilla is working with Apple to keep users safe.