Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Security advisory and fix released for Firefox - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Security advisory and fix released for Firefox

Mozilla has issued a security update for Firefox. It resolves a new exploitation pathway for the MFSA 2007-23 advisory. As you may recall, this dealt with the way Internet Explorer could invoke either Firefox or Thunderbird. These applications support a "-chrome" option, which allows loading of a specified Chrome, but could also allow code execution.

The new fix now removes the ability to run arbitrary scripts from the command line. It was implemented specifically due to a finding in QuickTime media-link files. A 'qtnext' attribute allowed the passing of parameters to a web browser which would be invoked upon finalizing playing of the media file.

We strongly advise you to install the updated version if you have any form of the QuickTime plugin installed.


158 Posts
Sep 19th 2007

Sign Up for Free or Log In to start participating in the conversation!