Mozilla released a new version of Firefox Tuesday in an effort to keep the digital underground from launching attacks...
via Apple's QuickTime media player.
In Mozilla Foundation Security Advisory 2007-28, the company acknowledged last week's disclosure by researcher Petko D. Petkov that QuickTime media-link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options.
"When the default browser is Firefox 220.127.116.11 or earlier, use of the -chrome option allowed a remote attacker to run script commands with the full privileges of the user," Mozilla said in its advisory. "This could be used to install malware, steal local data, or otherwise corrupt the victim's computer."
To protect Firefox users from the attack vector, Mozilla said it eliminated the ability to run arbitrary script from the command line. Other command-line options remain, however, and QuickTime media-link files could still be used to annoy users with popup windows and dialogs until the issue is fixed in QuickTime, Mozilla added.
Firefox users will automatically be prompted to upgrade to version 18.104.22.168, which includes the fix.