Mozilla has issued a security update for Firefox. It resolves a new exploitation pathway for the MFSA 2007-23 advisory. As you may recall, this dealt with the way Internet Explorer could invoke either Firefox or Thunderbird. These applications support a "-chrome" option, which allows loading of a specified Chrome, but could also allow code execution. The new fix now removes the ability to run arbitrary scripts from the command line. It was implemented specifically due to a finding in QuickTime media-link files. A 'qtnext' attribute allowed the passing of parameters to a web browser which would be invoked upon finalizing playing of the media file. We strongly advise you to install the updated version if you have any form of the QuickTime plugin installed. |
Maarten 158 Posts Sep 19th 2007 |
Thread locked Subscribe |
Sep 19th 2007 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!