Firefox Update Addresses QuickTime-triggered Vulnerability
Users of Firefox yesterday began receiving notices of the availability of version 2.0.0.7, which the Mozilla organization said addresses a vulnerability involving Apple's QuickTime plug-in. In BetaNews tests of the new version this afternoon, the vulnerability in question appears to have been fully patched.
In a recent permutation of what might have been a very old, very open hole, a malicious Web page was capable of spawning a new running copy of the default Web browser, and then - if that browser was Firefox - trigger it to try to load QuickTime by pointing it to a file whose type QuickTime is known to handle (typically .MOV files). Whether or not that file actually existed, the trigger could be crafted to contain JavaScript code that ran unchecked, possibly enabling the execution of any kind of binary code.
As security consultant Petko D. Petkov demonstrated last week, that hole could be easily exploited on Windows XP-based systems where Firefox was the default browser. In his non-malicious example, Petkov was able to trigger Notepad and other non-harmful programs to run.
BetaNews tried several permutations of Petkov's exploit on Windows XP and Windows Vista systems where the recently patched Firefox 2.0.0.7 was the default browser. In each case, the exploit did not trigger an executable file to run; instead, a second copy of Firefox would run and pull up its usual home page.
As Mozilla security chief Window Snyder posted on her team's blog on Tuesday, as the patch was being prepared for release, "When a vendor ships security fixes quickly, it lowers the incentive for attackers to spend time developing and deploying an exploit for that issue. The window of opportunity for attackers is reduced and so is the potential to compromise users. So thanks you guys, for helping destroy the economics of malicious exploit development."
But as Petkov proclaimed last week, he had been trying to awaken Mozilla's attention to the existence of the basic trigger behind the exploit for as long as a whole year.
Rather than gloat about having catalyzed a solution to the problem, Petkov announced on his blog today that he had discovered a similarly highly vulnerable exploit involving Adobe PDF files. He has not yet revealed details, instead publicly requesting Adobe to contact him personally for more information.