Firefox 18.104.22.168 closes hole in QuickTime
With the release of Firefox version 22.214.171.124, the developers of Firefox have closed the security hole recently reported by Petko Petkov (pdp) in the QuickTime plug-in for Firefox. The new version does not contain any other bug fixes. In previous versions, attackers could use specially crafted QuickTime link files (.qtl) to execute malicious code with maximum privileges in the browser; it was even possible to get complete control of the system.
In security advisory MSFA 2007-28, the Mozilla developers explain, however, that QuickTime executes these calls in such an unusual way that a new hole in Firefox and SeaMonkey opens up. Apple is said to be aware of the flaw, which was allegedly remedied in version 7.1.5 of QuickTime, though this has now obviously turned out to be incorrect.
Version 126.96.36.199 of Firefox has now closed this hole. But no new version of SeaMonkey, which also contains the flaw according to the security advisory released by the Mozilla developers, has yet been made available on the project's website. Firefox users can download and install the update via the integrated update function. The new version is, however, also available as a complete installation packet, which can be downloaded from the Mozilla project's servers. Users of Firefox are advised to install the update immediately if they have also installed either QuickTime or QuickTime Alternative.
- What's New in Firefox 188.8.131.52, summary of the changes in Firefox 184.108.40.206
- Code execution via QuickTime Media-link files, security advisory from the developers of Mozilla
- Remote code execution by launching Firefox from Internet Explorer, security advisory from the developers of Mozilla
- Download Firefox 220.127.116.11
- QuickTime opens up a security leak in Firefox, report by heise Security