Firefox patches elusive Quicktime security flaw
Mozilla today fixed a vulnerable in how Apple QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options. Although the problem appeared to be resolved earlier this year, researcher Petko D. Petkov and others found recently that it could still be exploited.
A previous fix in July's Firefox version 2.0.05 was intended to resolve this issue, but, according to Mozilla, "QuickTime calls the browser in an unexpected way that bypasses that fix." Also, Apple's own fix in the release of QuickTime 7.1.5 last March failed to resolve the issue.
The security update for Firefox has been automatically pushed out to current users. New users can download the latest version from Mozilla directly .
Finally, Mozilla notes that the upcoming release of Firefox 3 (Gran Paradiso) Alpha 8, expected today or tomorrow, does not contain the fix for this vulnerability.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
- Think Different
- by SeizeCTRL September 19, 2007 11:57 AM PDT
- Use QuickAlternative instead.
- Like this Reply to this comment
-
-
- Why?
- by GGGlen September 20, 2007 3:54 AM PDT
- Why should I?
- Like this View reply
Processing -
(3 Comments)On Apple systems, everything works just fine.