Mozilla has mobilized its Firefox developers and come up with a patched
version of its open source browser to protect against a zero day exploit
involving Apple’s QuickTime.
Firefox 220.127.116.11 is expected to be officially released later today and will
plug the flaw. On Sept. 12 security researcher Petko D. Petkov
reported that Apple QuickTime media formats can hack into Firefox. When
launching QuickTime from Firefox a remote hacker could have potentially
launched arbitrary script commands with the full privileges of the user.
“The result of this vulnerability can lead to full compromise of the browser
and maybe even the underlying operating system,” Petkov warned in his
advisory on the issue.
At the time Petkov issued his warning, Mozilla the same day labeled the bug
as #395942 in its bugzilla bug tracking system and immediately began the
process of coming up with a fix. Mozilla developer Gavin Sharp wrote in a
bugzilla entry that the QuickTime plug-in should be fixed to not allow
launching the default browser with arbitrary parameters.
Apparently Mozilla had attempted to prevent this type of vulnerability as
recently as the Firefox 18.104.22.168 release with its fix for the Remote code execution by launching Firefox from Internet Explorer bug, also
known as MFSA 2007-23.
“The fix for MFSA 2007-23 was intended to prevent this type of attack, but
QuickTime calls the browser in an unexpected way that bypasses that fix,”
Mozilla advisory on the Quick Time error notes.
“To protect Firefox users
from this problem we have now eliminated the ability to run arbitrary script
from the command-line. Other command-line options remain, however, and
QuickTime Media-link files could still be used to annoy users with popup
windows and dialogs until this issue is fixed in QuickTime.”
Mozilla alleges that the recently updated Apple QuickTime 7.1.5 does not
prevent the issue. Though the fix is in Firefox, Mozilla Chief Security
Officer Window Snyder blogged last week that Mozilla is working with Apple
to keep users safe.