Firefox 2.0.0.7 Released - patches QuickTime security issue - Firefox Browser Usage and Support forum at WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Firefox 2.0.0.7 Released - patches QuickTime security issue

coopster

3:13 pm on Sep 19, 2007 (gmt 0)

QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options. When the default browser is Firefox 2.0.0.6 or earlier use of the -chrome option allowed a remote attacker to run script commands with the full privileges of the user. This could be used to install malware, steal local data, or otherwise corrupt the victim's computer.

[en-us.mozilla.com...]

Looks more like a QuickTime and/or Windows issue more than anything else ...

... could be used on Windows systems to launch the default browser

until this issue is fixed in QuickTime

but the fix Apple applied in QuickTime 7.1.5 does not prevent this version of the problem

blend27

5:52 pm on Sep 19, 2007 (gmt 0)

Thank You.

jtara

6:09 pm on Sep 19, 2007 (gmt 0)

I'm not sure I like how they handled this update, though.

I just got it - installed without my permission!

I was browsing and got a window saying "Firefox has downloaded and installed an important update. Do you want to restart Firefox now?"

I didn't get the chance to accept or reject the download or installation. Just whether I wanted to restart to use the (already installed) update!

This is two unauthorized updates for me in 24 hours. I got the unauthorized Windows update (apparently) last night. I went to shut down my machine, and got the choice to "install updates and shut down". But there were no updates in the control panel.

This is a very disturbing trend - no matter how important the security issue might be.

I am afraid we are losing control of our own computers.

Tourz

6:14 pm on Sep 19, 2007 (gmt 0)

Crashed on me twice this morning while using Yahoo mail.

amznVibe

6:36 pm on Sep 19, 2007 (gmt 0)

I'm not sure I like how they handled this update, though.
I just got it - installed without my permission!

That's because of your settings, not Firefox.

tools->options->advanced->update
"When updates to Firefox are found"
(fill in the circle you desire)

jtara

7:35 pm on Sep 19, 2007 (gmt 0)

That's because of your settings, not Firefox.

To paraphrase Richard Nixon: "setting changes were made".

I don't know how. But I've set it back to asking for permission.

cstones

12:58 am on Sep 20, 2007 (gmt 0)

Firefox's update program has problem, surely.

vincevincevince

5:58 am on Sep 20, 2007 (gmt 0)

I don't see any QuickTime urgent security update yet. Hide-head-in-the-sand-and-let-someone-else-take-the-blame time at Apple I presume.

Certainly not a Firefox bug - Apple are entirely responsible for checking any data they obtain from the internet and then pass to the local system.

Suffice to say, I've removed Quicktime from the Windows machine.

amznVibe

6:12 am on Sep 20, 2007 (gmt 0)

Suffice to say, I've removed Quicktime from the Windows machine.

You don't have to remove quicktime, just delete the browser plugin.
I'm running 1.5 and it passes the proof-of-concept hack when the plugin is deleted.

I posted how to do that here last week or so:
[webmasterworld.com...]

Note that Opera and anything else that uses the plugin is affected.

[edited by: amznVibe at 6:14 am (utc) on Sep. 20, 2007]