Article

Mozilla closes QuickTime attack vector in Firefox

SearchSecurity.com Staff
Mozilla released a new version of Firefox Tuesday in an effort to keep the digital underground from launching attacks via Apple's QuickTime media player.

In Mozilla Foundation Security Advisory 2007-28, the company acknowledged

    Requires Free Membership to View

last week's disclosure by researcher Petko D. Petkov that QuickTime media-link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options.

"When the default browser is Firefox 2.0.0.6 or earlier, use of the -chrome option allowed a remote attacker to run script commands with the full privileges of the user," Mozilla said in its advisory. "This could be used to install malware, steal local data, or otherwise corrupt the victim's computer."

To protect Firefox users from the attack vector, Mozilla said it eliminated the ability to run arbitrary script from the command line. Other command-line options remain, however, and QuickTime media-link files could still be used to annoy users with popup windows and dialogs until the issue is fixed in QuickTime, Mozilla added.

Firefox users will automatically be prompted to upgrade to version 2.0.0.7, which includes the fix.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: