Firefox Issues Version 2.0.07, Fixes QuickTimes Flaw
Mozilla released today an update of its Firefox browser in order to fix a QuickTime vulnerability that was reported last week.

The vulnerability was reported by a security researcher, Petko Petkov. He wrote on his blog that if Firefox is the default browser when a user plays a malicious media file handled by Quicktime, an attacker can use an existing vulnerability in QuickTime to compromise Firefox or the local machine.

Petkov said that the attack is only reproducible on Windows and he also provided proof of concept code that may be easily converted into an exploit.

In order to fix the problem Mozilla has already released version 2.0.0.5 in July, but Petkov reported that it could still be exploited. Mozilla explained that its previous fix was supposed to stop this type of attack but QuickTime calls the browser in an unexpected way that bypasses that fix. To protect Firefox users, Mozilla is stripping out the ability to run arbitrary script from the command line entirely.

In its security advisory (2007-28) Mozilla explained the vulnerability. "On his blog Petko D. Petkov reported that QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options. When the default browser is Firefox 2.0.0.6 or earlier use of the -chrome option allowed a remote attacker to run script commands with the full privileges of the user. This could be used to install malware, steal local data, or otherwise corrupt the victim's computer."

Also Mozilla noted that the fix Apple applied in QuickTime 7.1.5 does not prevent this version of the problem.

The previous patch, 2.0.0.6 was released by Mozilla in August in order to address a vulnerability found in both Firefox and Internet Explorer 7.

Window Snyder, Mozilla's top security executive, noted that Apple and Firefox engineers collaborated to solve the issue.

"This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple," wrote Window Snyder, Mozilla's top security executive, in her blog. "This issue was patched in only six (or 6.25 according to John O'Duinn) days. When a vendor ships security fixes quickly, it lowers the incentive for attackers to spend time developing and deploying an exploit for that issue. The window of opportunity for attackers is reduced and so is the potential to compromise users. So thanks, you guys, for helping destroy the economics of malicious exploit development."

Mozilla has sent a mandatory update notice to all Firefox users, urging them to upgrade to version 2.0.0.7. Mozilla said that the update is mandatory even if the Firefox users didn't expressly install QuickTime, because Apple’s software is part of iTunes.

In the last Internet Security Threat Report, released earlier this week, Symantec researchers documented 237 vulnerabilities in Web browser plug-ins in the first half of the year. The report noted that it's a significant increase over the 74 discovered in the second half of 2006, and the 34 in the first half of 2006.

© 2007 - eFlux Media. All Rights Reserved.