Wednesday December 3, 2008 3:13 AM AEST
Vulnerability Alerts
SANS
 
Microsoft
 
CERT/CC
 
 
Latest Comments
"I feel it with you guys. These irritating interruptions on privacy MUST be stopped. It is a ..."
on Yahoo and Microsoft take aim at lottery scams
by Jan Wilmans | Dec 2, 2008 7:11 PM
 
"My AVG WILL NOT UPDATE"
on AVG update deletes critical Windows file
by James Downs | Dec 2, 2008 5:58 AM
 
"Concerned man's comments seem to intimate that if I'm using agents all will be well but the ..."
on Shavlik Technologies to broaden its patch management offerings
by Werner K | Nov 26, 2008 8:36 PM
 
"That will enhance Microsoft Office system, including SharePoint - good platform for enterprise ..."
on Companies have security to consider with in-the-cloud Office
by SGE | Nov 25, 2008 3:29 PM
 
"how many users allow per session? because the digital persona password manager allows only 10 ..."
on DigitalPersona Pro Workstation/Pro Server
by Daniel | Nov 25, 2008 12:14 AM
Microsoft

Mozilla patches QuickTime bug in Firefox

  • Email a Friend
  • Print Page
Mozilla patches QuickTime bug in Firefox
Related Articles
By Dan Kaplan
Sep 20, 2007 1:59 PM
Tags: Mozilla | patches | QuickTime | bug | in | Firefox
Firefox version 2.0.0.7 contains a patch for a Windows-based critical flaw that could lead to browser or complete system compromise, giving attackers the ability to "install malware, steal local data or otherwise corrupt the victim's computer," according to a Mozilla advisory released Tuesday.

The bug, revealed a week ago, is related to an error in the way Firefox handles the QuickTime plug-in, Apple's widely used multimedia platform for playing video and music files.

Discovered by Petko Petkov, founder of penetration-testing group Gnucitizen, the vulnerability can occur because earlier versions of Firefox permit the "–chrome" command-line option, which permits attackers to create malicious scripts.

A July patch was supposed to correct the flaw, "but QuickTime calls the browser in an unexpected way that bypasses the fix," according to Mozilla.

As an additional remedy, Firefox has prohibited users from running arbitrary script from the command line, Mozilla said. Disabling JavaScript, though, does not offer protection.

But Apple has failed the address the inherent problem, which could lead to more command-line options enabling attackers to bombard users with pop-up windows and dialog boxes, Mozilla said.

An Apple spokeswoman could not be immediately reached for comment.

Researchers said Firefox users need to upgrade as soon as possible.

"I looked at the exploit code and it was kind of a brain-dead thing to take and weaponize," Andrew Storms, director of security operations at nCircle, told SCMagazineUS.com today. "It's easy enough to put one of these on a website. If you drive by, you get attacked."

Window Snyder, Mozilla's head of security, thanked Mozilla staff for quickly pushing out a fix.

"This issue was patched in only six days," she said Tuesday on the Mozilla security blog. "When a vendor ships security fixes quickly, it lowers the incentive for attackers to spend time developing and deploying an exploit for that issue…So thanks guys, for helping destroy the economics of malicious exploit development."

Secure Computing Magazine

 
Ads by Google
Thoughts on this article? Add a comment below.
Be the first to comment on this article.

Report this comment as offensive:

   * Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.  
Name:
*
 
Email:
(will not be displayed)
*
 
Comment:
(HTML not permitted)
*
 
Validation
*

Enter the code you see below:

 

 
 
 
 
 
Tripwire - Click here to win an iTouch
 
 
Patch Management Whitepapers
 
Popular Tags
adobe doles firefox flash flaws microsoft october older patch patches releases security serves shavlik six tuesday two vulnerabilities vulnerability windows