Mozilla Patches QuickTime/Firefox Flaw

By Lisa Vaas  |  Posted 2007-09-19 Print this article Print

Despite Mozilla's quick fix, QuickTime itself is still buggy.

Mozilla, on Sept. 19, ditched the ability to run arbitrary script from the Firefox command line, a quick fix for a year-old QuickTime bug that could be used to take over user systems.

Security researcher Petko D. Petkov on Sept. 12 posted proof-of-concept code showing that the low-risk, year-old QuickTime bug could easily be turned into a high-risk attack on Firefox, Internet Explorer, Skype and other programs.
Petkov—aka pdp—showed how QuickTime media formats can be used to get into Firefox, leading to full browser compromise and perhaps even to compromise of the underlying operating system. QuickTime comes by default with iTunes, Petkov noted. "Therefore, iTunes users are most affected," he said at the time.
Petkov said in his post that QuickTime Media-Link files contain a qtnext attribute that can be used on Windows systems to launch the default browser with arbitrary command-line options. Mozilla said in a security advisory posted on Sept. 18 that when the default browser is Firefox or earlier, use of the chrome option allowed a remote attacker to run script commands with the full privileges of the user and hence to install malware, steal local data, or otherwise corrupt the victims computer. Mozilla said that its fix for MFSA 2007-23 was supposed to stop this type of attack but that QuickTime calls the browser in an unexpected way that bypasses that fix. So, to protect Firefox users, its stripping out the ability to run arbitrary script from the command line entirely. Dont worry, though; until Apple has fixed the issue in QuickTime, QuickTime Media-link files can still be used to annoy users, Mozilla said. "Other command-line options remain, … and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime," the open-source foundation said in its post. QuickTime is vulnerable to system hijacks. Click here to read more. Mozilla also notes that this QuickTime issue appears to be the same one described by CVE-2006-4965 but that the fix Apple applied in QuickTime 7.1.5 does not prevent this take on the problem. Mozilla released Firefox to patch the QuickTime issue on Sept. 18. "This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple," Mozillas "chief security something or other" Window Snyder said in a posting about the fix. Apple declined to provide feedback on the issue when Petkov first revealed it last week. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel