Home > Security News > Mozilla closes QuickTime attack vector in Firefox
Security News:
EMAIL THIS

Mozilla closes QuickTime attack vector in Firefox

By SearchSecurity.com Staff
19 Sep 2007 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Mozilla released a new version of Firefox Tuesday in an effort to keep the digital underground from launching attacks via Apple's QuickTime media player.

In Mozilla Foundation Security Advisory 2007-28, the company acknowledged last week's disclosure by researcher Petko D. Petkov that QuickTime media-link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options.

"When the default browser is Firefox 2.0.0.6 or earlier, use of the -chrome option allowed a remote attacker to run script commands with the full privileges of the user," Mozilla said in its advisory. "This could be used to install malware, steal local data, or otherwise corrupt the victim's computer."

To protect Firefox users from the attack vector, Mozilla said it eliminated the ability to run arbitrary script from the command line. Other command-line options remain, however, and QuickTime media-link files could still be used to annoy users with popup windows and dialogs until the issue is fixed in QuickTime, Mozilla added.

Firefox users will automatically be prompted to upgrade to version 2.0.0.7, which includes the fix.



Tags: Web Browser SecurityVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED CONTENT
Web Browser Security
Exploit code targets Internet Explorer zero-day display flaw
InZero Systems launches hardware-based security gateway
Web security firm ranks Firefox, Safari browsers as flaw prone
Microsoft fixes security update that breaks Internet Explorer
Mozilla update repairs Firefox buffer overflow vulnerabilities
Kaspersky system analyzes malicious URLs on Twitter for malware
Silon malware intercepts Internet Explorer sessions, steals credentials
Do Facebook URL security concerns justify blocking social networks?
Phishing attacks to remain a major problem, say security experts
Adrian Perrig: Improve SSL/TLS Security Through Education and Technology
Web Browser Security Research

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
browser hijacker  (SearchSecurity.com)
cache cramming  (SearchSecurity.com)
cache poisoning  (SearchSecurity.com)
honey monkey  (SearchSecurity.com)
JavaScript hijacking  (SearchSecurity.com)
NCSA  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



More Tips to Secure Your Network
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts