Firefox QuickTime Mozilla has posted Firefox 2.0.0.7 which is an extremely critical update for all Firefox users out there. There is only one thing that has been fixed, but it’s a QuickTime vulnerability that could compromise Firefox and your computer.

Petko D. Petkov was the person who found the exploit, and says that he discovered it nearly a year ago. At the time he had actually come across two of these vulnerabilities, but only one of them had ever been fixed. Now nearly a year later he took it upon himself to show "how a Low risk issue can be turned into a very easy to perform HIGH risk attack." To sum it up as long as Firefox is set as the default browser it will open the link and execute some code, and in Petkov’s example the Windows Calculator is launched.

Here’s what the Mozilla Security Blog had to say about the issue:

If Firefox is the default browser when a user plays a malicious media file handled by Quicktime, an attacker can use a vulnerability in Quicktime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in Quicktime. So far this is only reproducible on Windows.

Petkov provided proof of concept code that may be easily converted into an exploit, so users should consider this a very serious issue.

According to Petkov this exploit is actually cross-platform, although myself and BetaNews both failed to get it to work on Vista. As of right now this appears to be isolated to the Firefox browser, but QuickTime is installed with iTunes by default which makes the chances of people being exploited much more serious. So all Firefox and QuickTime users are urged to upgrade to the newest Firefox 2.0.0.7:

Note: These download links use Mozilla’s load balancing, which is better than what some sites are doing by linking directly to the executable. The download should be posted on the official Firefox.com domain shortly, but QuickTime users should upgrade as soon as possible.

There Are 5 Comments

  1. And you would use Quicktime why? Shame on the people for even having it.

  2. Google wrote:
    And you would use Quicktime why? Shame on the people for even having it.

    I would have to agree with that, but some people like using it to watch trailers. Personally I always download the video to my computer and watch it in VLC.

  3. And of course this was only for Windows and yet Mac and Linux users got what was basically 2.0.0.6 once again as 2.0.0.7 is 2.0.0.6 but with this fix as 2.0.0.7 does not have any of the branch fixes since 2.0.0.6. The 2.0.0.8 will be more of a actual update.

    If Linux/Mac users did not get a 2.0.0.7 update, they would probably wonder why did not and wonder if the software updator was working, and why questions…etc and when 2.0.0.8 came out they would have likely gotten a full size update versus a partial perhaps.

  4. James wrote:
    And of course this was only for Windows and yet Mac and Linux users got what was basically 2.0.0.6 once again as 2.0.0.7 is 2.0.0.6 but with this fix as 2.0.0.7 does not have any of the branch fixes since 2.0.0.6. The 2.0.0.8 will be more of a actual update.

    If Linux/Mac users did not get a 2.0.0.7 update, they would probably wonder why did not and wonder if the software updator was working, and why questions…etc and when 2.0.0.8 came out they would have likely gotten a full size update versus a partial perhaps.

    I heard that the vulnerability worked on Macs as well though?

Leave Your Comment


Message is the only required field.
Emails are not published.