Firefox ships 'fix' for QuickTime attack vector

Summary:Mozilla has hurried out a new version of Firefox to block code execution attacks from Apple's QuickTime media player.

Mozilla has hurried out a new version of Firefox to block code execution attacks from Apple's QuickTime media player.

The fix (Firefox 2.0.0.7) comes just six days after the release of proof-of-concept exploits to show how rigged QuickTime files can be used to hijack Windows machines if Firefox is set as the default Web browser.

This is Mozilla's second attempt to prevent this type of attack. A patch released in July 2007 was meant to address this issue but because QuickTime calls the browser in an unexpected way, that fix was bypassed.

To protect Firefox users from this problem we have now eliminated the ability to run arbitrary script from the command-line. Other command-line options remain, however, and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime.

Apple also attempted a fix for this issue in February 2007 but as security researcher Aviv Raff discovered, QuickTime can still be used to pass attacks to both Firefox and Internet Explorer users.

The NoScript Firefox add-on has provided protection against this class of attack for several months.

ALSO SEE:

Unpatched QuickTime-to-Firefox flaw dings IE too

One-year-old QuickTime bug comes back to bite Firefox

Topics: Security, Browser, Hardware, Mobility

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.