Incident Response, Malware, Patch/Configuration Management, TDR, Vulnerability Management

Mozilla patches QuickTime bug in Firefox

Mozilla released an updated version of its browser on Tuesday to correct a critical QuickTime security vulnerability for which proof-of-concept code was available.

Firefox version contains a patch for a Windows-based critical flaw that could lead to browser or complete system compromise, giving attackers the ability to "install malware, steal local data or otherwise corrupt the victim's computer," according to a Mozilla advisory released Tuesday.

The bug, revealed a week ago, is related to an error in the way Firefox handles the QuickTime plug-in, Apple's widely used multimedia platform for playing video and music files.

Discovered by Petko Petkov, founder of penetration-testing group Gnucitizen, the vulnerability can occur because earlier versions of Firefox permit the "–chrome" command-line option, which permits attackers to create malicious scripts.

A July patch was supposed to correct the flaw, "but QuickTime calls the browser in an unexpected way that bypasses the fix," according to Mozilla.

As an additional remedy, Firefox has prohibited users from running arbitrary script from the command line, Mozilla said. Disabling JavaScript, though, does not offer protection.

But Apple has failed the address the inherent problem, which could lead to more command-line options enabling attackers to bombard users with pop-up windows and dialog boxes, Mozilla said.

An Apple spokeswoman could not be immediately reached for comment.

Researchers said Firefox users need to upgrade as soon as possible.

"I looked at the exploit code and it was kind of a brain-dead thing to take and weaponize," Andrew Storms, director of security operations at nCircle, told today. "It's easy enough to put one of these on a website. If you drive by, you get attacked."

Window Snyder, Mozilla's head of security, thanked Mozilla staff for quickly pushing out a fix.

"This issue was patched in only six days," she said Tuesday on the Mozilla security blog. "When a vendor ships security fixes quickly, it lowers the incentive for attackers to spend time developing and deploying an exploit for that issue…So thanks guys, for helping destroy the economics of malicious exploit development."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.