Firefox ships 'fix' for QuickTime attack vector

Mozilla has hurried out a new version of Firefox to block code execution attacks from Apple's QuickTime media player.

The fix (Firefox 2.0.0.7) comes just six days after the release of proof-of-concept exploits to show how rigged QuickTime files can be used to hijack Windows machines if Firefox is set as the default Web browser.

This is Mozilla's second attempt to prevent this type of attack. A patch released in July 2007 was meant to address this issue but because QuickTime calls the browser in an unexpected way, that fix was bypassed.

To protect Firefox users from this problem we have now eliminated the ability to run arbitrary script from the command-line. Other command-line options remain, however, and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime.

Apple also attempted a fix for this issue in February 2007 but as security researcher Aviv Raff discovered, QuickTime can still be used to pass attacks to both Firefox and Internet Explorer users.

The NoScript Firefox add-on has provided protection against this class of attack for several months.

ALSO SEE:

Unpatched QuickTime-to-Firefox flaw dings IE too

One-year-old QuickTime bug comes back to bite Firefox