From Mozilla Links
GNUCITIZEN, a “creative hacker organization”, has disclosed details on a severe security vulnerability affecting Firefox users that have installed the QuickTime plugin on Windows or Mac OS X, which at a minimum includes all iTunes users.
The vulnerability is based on QuickTime Media Link files (.qtl), simple XML files that include details about the media file to be played (like an .avi, .mov or .mp3) and other settings. However one of these parameters, qtnext, allows the publisher to specify a URL (web address) to be displayed when the media file ends. The URL could be a JavaScript instruction like those used in thousands of web pages and services currently.
To this point there is no problem. But Firefox itself is controlled through JavaScript code and libraries in an isolated environment that separates it from web pages code. The QuickTime plugin however can access the Firefox code just as any other object and manipulate it to run any application in an attacked computer.
To make things worse, the QTL files can be renamed as .mp3, .mpg, .avi or any of a couple of dozen file formats QuickTime supports and it will handle them properly, easing the scenario for possible attacks.
The test cases posted by GNUCITIZEN are really scary: click on an mp3 and the QuickTime plugin tries to load the file which doesn’t exist so it quickly completes and launches Windows Calculator. But it could be any application with any parameter.
The article goes on to recommend the removal of QuickTime from your system. However for me that is not something I really want to do. Oddly enough I do use QuickTime quite frequently. A blog I frequent uses QuickTime videos and my internet based answering service uses QuickTime for the messages (although I could choose to download them as MP3). Further it is important to understand that is a QuickTime issue and it is NOT just isolated to Firefox and Windows. It also affects IE (but not as severely) and even the immortal Macs.
While bug 395942 was caught early enough that it could be patched in Firefox 2.0.0.7, what is one suppose to do in the mean time? You can go thru the process of removing QuickTime wait for new versions of Firefox and QuickTime and then reinstall. But there is a batter option, thanks to our friends on the CyberNet Forum. Turns out the NoScript extension will protect your from this vulnerability.
News Sources:
- CyberNet Forum
- Mozilla Links [1, 2]
The Firefox Extension Guru's Blog 
[…] According to the Firefox:2.0.0.7:Test Plan, Fx 2.0.0.7 is going to be a security fix for the QuickTime Vulnerability. This update/security release could be out later today. Everything else that is planned for the Fx […]
[…] 2.0.0.7 – Fire Drill (Security) release to address the QuickTime Vulnerability. Should be out later today or on Tuesday […]
[…] , Mozilla Firefox , Mozilla News Fx 2.0.0.7 is a Fire Drill (Security) release to address the QuickTime Vulnerability. Currently it has not been pushed out to the ‘GetFirefox‘ page or into the auto updates […]
[…] released version 2.0.0.7 as a Fire Drill (Security) release. This security release addresses a severe vulnerability to Firefox for Windows & Mac users who have installed the Quicktime plugin, at minimum all […]
ansfer blogSouthgate overlooked the Arsenal midfielder for the recent games with Germany and Lithuania but remains a massive fan of the player.
MONACO’S vice-president has confirmed a host of “major clubs have enquired over the availability of Bernardo Silva.