News Stay informed about the latest enterprise technology news and product updates.

Mozilla closes QuickTime attack vector in Firefox

Firefox users can protect themselves from a QuickTime attack vector by upgrading to Firefox, Mozilla said Tuesday.

Mozilla released a new version of Firefox Tuesday in an effort to keep the digital underground from launching attacks via Apple's QuickTime media player.

In Mozilla Foundation Security Advisory 2007-28, the company acknowledged last week's disclosure by researcher Petko D. Petkov that QuickTime media-link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options.

"When the default browser is Firefox or earlier, use of the -chrome option allowed a remote attacker to run script commands with the full privileges of the user," Mozilla said in its advisory. "This could be used to install malware, steal local data, or otherwise corrupt the victim's computer."

To protect Firefox users from the attack vector, Mozilla said it eliminated the ability to run arbitrary script from the command line. Other command-line options remain, however, and QuickTime media-link files could still be used to annoy users with popup windows and dialogs until the issue is fixed in QuickTime, Mozilla added.

Firefox users will automatically be prompted to upgrade to version, which includes the fix.

Dig Deeper on Web browser security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.