Mozilla Patches QuickTime/Firefox Flaw

Mozilla, on Sept. 19, ditched the ability to run arbitrary script from the Firefox command line, a quick fix for a year-old QuickTime bug that could be used to take over user systems.

Security researcher Petko D. Petkov on Sept. 12 posted proof-of-concept code showing that the low-risk, year-old QuickTime bug could easily be turned into a high-risk attack on Firefox, Internet Explorer, Skype and other programs.

Petkov—aka pdp—showed how QuickTime media formats can be used to get into Firefox, leading to full browser compromise and perhaps even to compromise of the underlying operating system. QuickTime comes by default with iTunes, Petkov noted. “Therefore, iTunes users are most affected,” he said at the time.

Petkov said in his post that QuickTime Media-Link files contain a qtnext attribute that can be used on Windows systems to launch the default browser with arbitrary command-line options. Mozilla said in a security advisory posted on Sept. 18 that when the default browser is Firefox 2.0.0.6 or earlier, use of the chrome option allowed a remote attacker to run script commands with the full privileges of the user and hence to install malware, steal local data, or otherwise corrupt the victims computer.

Mozilla said that its fix for MFSA 2007-23 was supposed to stop this type of attack but that QuickTime calls the browser in an unexpected way that bypasses that fix. So, to protect Firefox users, its stripping out the ability to run arbitrary script from the command line entirely.

Dont worry, though; until Apple has fixed the issue in QuickTime, QuickTime Media-link files can still be used to annoy users, Mozilla said. “Other command-line options remain, … and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime,” the open-source foundation said in its post.

QuickTime is vulnerable to system hijacks. Click here to read more.

Mozilla also notes that this QuickTime issue appears to be the same one described by CVE-2006-4965 but that the fix Apple applied in QuickTime 7.1.5 does not prevent this take on the problem.

Mozilla released Firefox 2.0.0.7 to patch the QuickTime issue on Sept. 18. “This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple,” Mozillas “chief security something or other” Window Snyder said in a posting about the fix.

Apple declined to provide feedback on the issue when Petkov first revealed it last week.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.