Mozilla has posted Firefox 220.127.116.11 which is an extremely critical update for all Firefox users out there. There is only one thing that has been fixed, but it’s a QuickTime vulnerability that could compromise Firefox and your computer.
Petko D. Petkov was the person who found the exploit, and says that he discovered it nearly a year ago. At the time he had actually come across two of these vulnerabilities, but only one of them had ever been fixed. Now nearly a year later he took it upon himself to show "how a Low risk issue can be turned into a very easy to perform HIGH risk attack." To sum it up as long as Firefox is set as the default browser it will open the link and execute some code, and in Petkov’s example the Windows Calculator is launched.
Here’s what the Mozilla Security Blog had to say about the issue:
If Firefox is the default browser when a user plays a malicious media file handled by Quicktime, an attacker can use a vulnerability in Quicktime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in Quicktime. So far this is only reproducible on Windows.
Petkov provided proof of concept code that may be easily converted into an exploit, so users should consider this a very serious issue.
According to Petkov this exploit is actually cross-platform, although myself and BetaNews both failed to get it to work on Vista. As of right now this appears to be isolated to the Firefox browser, but QuickTime is installed with iTunes by default which makes the chances of people being exploited much more serious. So all Firefox and QuickTime users are urged to upgrade to the newest Firefox 18.104.22.168:
Note: These download links use Mozilla’s load balancing, which is better than what some sites are doing by linking directly to the executable. The download should be posted on the official Firefox.com domain shortly, but QuickTime users should upgrade as soon as possible.