Firefox ships 'fix' for QuickTime attack vector

Firefox ships 'fix' for QuickTime attack vector

Summary: Mozilla has hurried out a new version of Firefox to block code execution attacks from Apple's QuickTime media player.

SHARE:

Mozilla has hurried out a new version of Firefox to block code execution attacks from Apple's QuickTime media player.

The fix (Firefox 2.0.0.7) comes just six days after the release of proof-of-concept exploits to show how rigged QuickTime files can be used to hijack Windows machines if Firefox is set as the default Web browser.

This is Mozilla's second attempt to prevent this type of attack. A patch released in July 2007 was meant to address this issue but because QuickTime calls the browser in an unexpected way, that fix was bypassed.

To protect Firefox users from this problem we have now eliminated the ability to run arbitrary script from the command-line. Other command-line options remain, however, and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime.

Apple also attempted a fix for this issue in February 2007 but as security researcher Aviv Raff discovered, QuickTime can still be used to pass attacks to both Firefox and Internet Explorer users.

The NoScript Firefox add-on has provided protection against this class of attack for several months.

ALSO SEE:

Unpatched QuickTime-to-Firefox flaw dings IE too

One-year-old QuickTime bug comes back to bite Firefox

Topics: Security, Browser, Hardware, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • The patch to the patch of the patch that Apple failed to patch

    [i]Apple also attempted a fix for this issue in February 2007[/i]

    Doesn't Apple test anything it releases? Typical Apple quality.

    snicker, smirk :)
    NonZealot
  • Is this a Quicktime bug?

    Or another example of the Microsoft Windows URI protocol handling vulnerability (http://www.kb.cert.org/vuls/id/403150)

    It seems to affect only Quicktime on Windows and seems to show similar behavior.
    frgough
    • duh yes this is a quicktime bug

      apple made it they put it out so yes this is an apple bug
      SO.CAL Guy
      • It was an honest question

        Everyone is saying this is a quicktime bug, but it looks like the protocol handling problem Windows has in the link I provided. Just looking for clarification, not some snarky response from a guy who didn't even bother to read the link.
        frgough
    • Yes, but also a FF bug

      QuickTime and Firefox are both to blame for this one. Apple is responsible for their app being exploitable, and Mozilla is responsible for their browser being exploitable by an app.
      ejhonda
    • Different vulnerability.

      Your link has to do with a URL parsing problem. This issue is a script execution vulnerability.
      ShadeTree
  • it's funny none of you zealots notice

    what the link frgough has posted seems to say.

    Microsoft changed URL interpretation in their operating system - with their wonderful IE7 browser.

    Which would seem entirely unnecessary, except 'because they can'.

    Now, who's at fault for causing this security problem?

    And who look foolish for their knee-jerk jerk answers? Those are very tiresome in these forums, by the way. The first thought is always that they reflect poorly on the competence of the jerkers.

    My 2 cents.
    Narr vi
  • RE: Firefox ships 'fix' for QuickTime attack vector

    firefox and quicktime are the best two things to happen to the evolution of video software and web surfing in recent history of technology
    ncoltun