Mozilla Update 2.0.0.7


Release date: September 18, 2007

According to the release note ,a critical vulnerability issue regarding the “Code execution via QuickTime Media-link files” has been fixed.

QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options. When the default browser is Firefox 2.0.0.6 or earlier use of the -chrome option allowed a remote attacker to run script commands with the full privileges of the user. This could be used to install malware, steal local data, or otherwise corrupt the victim’s computer.The fix for MFSA 2007-23 was intended to prevent this type of attack but QuickTime calls the browser in an unexpected way that bypasses that fix. To protect Firefox users from this problem we have now eliminated the ability to run arbitrary script from the command-line. Other command-line options remain, however, and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime.

This QuickTime issue appears to be the one described by CVE-2006-4965 but the fix Apple applied in QuickTime 7.1.5 does not prevent this version of the problem.

Disabling JavaScript in the browser does not protect against this attack; prior to the fix scripts passed through the -chrome option would be executed regardless of the JavaScript setting for web content, much as interpreters for languages such as perl and Python execute scripts passed on the command line. The NoScript add-on, however, has provided protection against this class of attack since the cross-browser vulnerabilities described by MFSA 2007-23 were discovered.

Source: http://en-us.www.mozilla.com/en-US/firefox/2.0.0.7/releasenotes/


Leave a Reply