Mozilla released today an update of its Firefox browser in
order to fix a QuickTime vulnerability that was reported last week.
The vulnerability was reported by a security researcher,
Petko Petkov. He wrote on his blog that if Firefox is the default browser when
a user plays a malicious media file handled by Quicktime, an attacker can use an
existing vulnerability in QuickTime to compromise Firefox or the local machine.
Petkov said that the attack is only reproducible on Windows
and he also provided proof of concept code that may be easily converted into an
exploit.
In order to fix the problem Mozilla has already released version
2.0.0.5 in July, but Petkov reported that it could still be exploited. Mozilla explained that its previous fix was supposed to stop
this type of attack but QuickTime calls the browser in an unexpected way
that bypasses that fix. To protect Firefox users, Mozilla is stripping out the
ability to run arbitrary script from the command line entirely.
In its security advisory (2007-28) Mozilla
explained the vulnerability. "On his blog Petko D. Petkov reported
that QuickTime Media-Link files contain a qtnext attribute that could be used
on Windows systems to launch the default browser with arbitrary command-line
options. When the default browser is Firefox 2.0.0.6 or earlier use of the
-chrome option allowed a remote attacker to run script commands with the full
privileges of the user. This could be used to install malware, steal local
data, or otherwise corrupt the victim's computer."
Also Mozilla noted that the fix Apple applied in QuickTime
7.1.5 does not prevent this version of the problem.
The previous patch, 2.0.0.6 was released by Mozilla in
August in order to address a vulnerability found in both Firefox and Internet
Explorer 7.
Window Snyder, Mozilla's top security executive, noted that
Apple and Firefox engineers collaborated to solve the issue.
"This will protect Firefox users from the public
critical security vulnerability until a patch is available from Apple," wrote
Window Snyder, Mozilla's top security executive, in her blog. "This issue
was patched in only six (or 6.25 according to John O'Duinn) days. When a vendor
ships security fixes quickly, it lowers the incentive for attackers to spend
time developing and deploying an exploit for that issue. The window of
opportunity for attackers is reduced and so is the potential to compromise
users. So thanks, you guys, for helping destroy the economics of malicious
exploit development."
Mozilla has sent a mandatory update notice to all Firefox
users, urging them to upgrade to version 2.0.0.7. Mozilla said that the update
is mandatory even if the Firefox users didn't expressly install QuickTime, because
Apple’s software is part of iTunes.
In the last Internet Security Threat Report, released
earlier this week, Symantec researchers documented 237 vulnerabilities in Web
browser plug-ins in the first half of the year. The report noted that it's a
significant increase over the 74 discovered in the second half of 2006, and the
34 in the first half of 2006.
