Mozilla Releases Patch for QuickTime Flaw for Firefox Web Users

Mozilla released an update for its Firefox Web browser on September 18, 2007 to patch a reasonably critical flaw that Apple's QuickTime media player had introduced. The new patch version namely Firefox 2.0.0.7 should automatically download and install itself unless someone is using an older Firefox version that might be without support.

A hacker named Petko Petkov reported the flaw in the second week of September 2007, which allowed attackers to execute unauthorized instructions on a compromised computer. By exploiting the flaw, it is possible to plant malware, steal data or at least corrupt the hacked PC, said Mozilla in a security advisory published on September 18, 2007.

During the announcement of the update, Windows Snyder, Chief of Security for Mozilla, talked highly of how fast her company responded to the reported flaw. COMPUTERWORLD reported this on September 18, 2007. Snyder said in Mozilla's security blog that it took just six days for her company to patch the issue. When security vendors ship the patches fast, hackers lost motivation to devote time in developing and installing a relevant exploit for the issue.

A patch in July 2007 would have handled this problem, but Petkov demonstrated that even then, attackers could execute commands on a compromised system by tricking the user to open an ill-crafted QuickTime Media file.

Apple needs to address the particular vulnerability in QuickTime, otherwise users could continue to have troubles, Mozilla indicated in its security advisory that discussed the issue. The advisory explained that the use of QuickTime Media files could still enable display of dialogs and pop-up windows until that issue was fixed.

Apple had patched QuickTime at least four times in 2007 but it has not designed a fix for this particular vulnerability. In the second week of September 2007, an Apple spokesman said very plainly that Apple is always serious about security and have a remarkable track record for handling potential vulnerabilities before they could affect their users.

Another Windows Media Player flaw has emerged, which attackers could use to exploit IE vulnerabilities holding malicious documents. This can happen even if a user browses only with Opera, Firefox or some non-Microsoft browser.

Related article: Mozilla Rules Out Bug in Its Firefox

» SPAMfighter News - 10/6/2007