Mozilla closes QuickTime attack vector in Firefox

Firefox users can protect themselves from a QuickTime attack vector by upgrading to Firefox 2.0.0.7, Mozilla said Tuesday.

Mozilla released a new version of Firefox Tuesday in an effort to keep the digital underground from launching attacks via Apple's QuickTime media player.

In Mozilla Foundation Security Advisory 2007-28, the company acknowledged last week's disclosure by researcher Petko D. Petkov that QuickTime media-link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options.

"When the default browser is Firefox 2.0.0.6 or earlier, use of the -chrome option allowed a remote attacker to run script commands with the full privileges of the user," Mozilla said in its advisory. "This could be used to install malware, steal local data, or otherwise corrupt the victim's computer."

To protect Firefox users from the attack vector, Mozilla said it eliminated the ability to run arbitrary script from the command line. Other command-line options remain, however, and QuickTime media-link files could still be used to annoy users with popup windows and dialogs until the issue is fixed in QuickTime, Mozilla added.

Firefox users will automatically be prompted to upgrade to version 2.0.0.7, which includes the fix.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close