19 September 2007, 14:56

Firefox 2.0.0.7 closes hole in QuickTime

With the release of Firefox version 2.0.0.7, the developers of Firefox have closed the security hole recently reported by Petko Petkov (pdp) in the QuickTime plug-in for Firefox. The new version does not contain any other bug fixes. In previous versions, attackers could use specially crafted QuickTime link files (.qtl) to execute malicious code with maximum privileges in the browser; it was even possible to get complete control of the system.

This vulnerability was supposed to have been eliminated in Firefox 2.0.0.5. Security advisory MFSA 2007-23 describes a flaw that prevents Internet Explorer from correctly filtering out quotation marks when programs are launched, allowing programs to be called by means of parameters. For instance, Firefox and Thunderbird could be launched with the parameter -chrome, in which case JavaScript would run with the highest privileges in the browser, a condition that could possibly be used to compromise the system.

In security advisory MSFA 2007-28, the Mozilla developers explain, however, that QuickTime executes these calls in such an unusual way that a new hole in Firefox and SeaMonkey opens up. Apple is said to be aware of the flaw, which was allegedly remedied in version 7.1.5 of QuickTime, though this has now obviously turned out to be incorrect.

Version 2.0.0.7 of Firefox has now closed this hole. But no new version of SeaMonkey, which also contains the flaw according to the security advisory released by the Mozilla developers, has yet been made available on the project's website. Firefox users can download and install the update via the integrated update function. The new version is, however, also available as a complete installation packet, which can be downloaded from the Mozilla project's servers. Users of Firefox are advised to install the update immediately if they have also installed either QuickTime or QuickTime Alternative.