Firefox 184.108.40.206 closes hole in QuickTime
With the release of Firefox version 220.127.116.11, the developers of Firefox have closed the security hole recently reported by Petko Petkov (pdp) in the QuickTime plug-in for Firefox. The new version does not contain any other bug fixes. In previous versions, attackers could use specially crafted QuickTime link files (.qtl) to execute malicious code with maximum privileges in the browser; it was even possible to get complete control of the system.
In security advisory MSFA 2007-28, the Mozilla developers explain, however, that QuickTime executes these calls in such an unusual way that a new hole in Firefox and SeaMonkey opens up. Apple is said to be aware of the flaw, which was allegedly remedied in version 7.1.5 of QuickTime, though this has now obviously turned out to be incorrect.
Version 18.104.22.168 of Firefox has now closed this hole. But no new version of SeaMonkey, which also contains the flaw according to the security advisory released by the Mozilla developers, has yet been made available on the project's website. Firefox users can download and install the update via the integrated update function. The new version is, however, also available as a complete installation packet, which can be downloaded from the Mozilla project's servers. Users of Firefox are advised to install the update immediately if they have also installed either QuickTime or QuickTime Alternative.
- What's New in Firefox 22.214.171.124, summary of the changes in Firefox 126.96.36.199
- Code execution via QuickTime Media-link files, security advisory from the developers of Mozilla
- Remote code execution by launching Firefox from Internet Explorer, security advisory from the developers of Mozilla
- Download Firefox 188.8.131.52
- QuickTime opens up a security leak in Firefox, report by heise Security