Mozilla has released a patch today for its popular Firefox webbrowser which ditches the ability to run arbitrary script from the Firefox command line, a quick fix for a year-old QuickTime bug that could be used to take over user systems. Security researcher Petko D. Petkov on Sept. 12 posted proof-of-concept code showing that the low-risk, year-old QuickTime bug could easily be turned into a high-risk attack on Firefox, Internet Explorer, Skype and other programs. Petkov—aka pdp—showed how QuickTime media formats can be used to get into Firefox, leading to full browser compromise and perhaps even to compromise of the underlying operating system.
Mozilla said that its fix for MFSA 2007-23 was supposed to stop this type of attack but that QuickTime calls the browser in an unexpected way that bypasses that fix. So, to protect Firefox users, it's stripping out the ability to run arbitrary script from the command line entirely. Don't worry, though; until Apple has fixed the issue in QuickTime, QuickTime Media-link files can still be used to annoy users, Mozilla said. "Other command-line options remain, … and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime," the open-source foundation said in its post.