Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Security advisory and fix released for Firefox - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Security advisory and fix released for Firefox

Mozilla has issued a security update for Firefox. It resolves a new exploitation pathway for the MFSA 2007-23 advisory. As you may recall, this dealt with the way Internet Explorer could invoke either Firefox or Thunderbird. These applications support a "-chrome" option, which allows loading of a specified Chrome, but could also allow code execution.

The new fix now removes the ability to run arbitrary scripts from the command line. It was implemented specifically due to a finding in QuickTime media-link files. A 'qtnext' attribute allowed the passing of parameters to a web browser which would be invoked upon finalizing playing of the media file.

We strongly advise you to install the updated version if you have any form of the QuickTime plugin installed.

Maarten

158 Posts

Sign Up for Free or Log In to start participating in the conversation!