Mozilla slaps temp patch on Firefox
Apple still needs to fix QuickTime, but Firefox users now safer from attack
Last Thursday, Petko Petkov, a U.K.-based Web application penetration tester, posted exploit code for a bug in Apple Inc.'s QuickTime media player. The bug, which Petkov first disclosed in September 2006, lets attackers run script commands on systems equipped with Firefox 184.108.40.206 or earlier and gives them a way to completely compromise machines. Petkov posted attack samples last week after he'd contacted Apple twice in 2006 without receiving a reply.
In announcing the update today, Mozilla's chief of security, Window Snyder, bragged about her company's fast response time. "This issue was patched in only six days," Snyder wrote on Mozilla's security blog. "When a vendor ships security fixes quickly, it lowers the incentive for attackers to spend time developing and deploying an exploit for that issue."
In a separate advisory that outlined the fix, however, Mozilla also acknowledged that a July 17 update, which patched another QuickTime handling issue in Firefox, missed this second bug. "The fix for MFSA 2007-23 was intended to prevent this type of attack but QuickTime calls the browser in an unexpected way that bypasses that fix," the advisory read.
Apple also slipped up, Mozilla said. "This QuickTime issue appears to be the one described by CVE-2006-4965 but the fix Apple applied in QuickTime 7.1.5 does not prevent this version of the problem." Apple released QuickTime 7.1.5 as a security update in early March.
In fact, today's update doesn't actually patch the vulnerability, but simply blocks the browser from running any arbitrary script from the command line. "Other command-line options remain, however, and QuickTime media link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime," Mozilla cautioned.
Apple, which has patched QuickTime four times in 2007, has not fixed the underlying vulnerability. Last week, when asked about the bug, an Apple spokesman simply said "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Coincidentally, today Petkov posted a description of another critical media player flaw. The newest bug, which is in Windows Media Player, could be used by attackers to exploit Internet Explorer vulnerabilities with malicious media files, even if the PC's owner surfs solely with Firefox, Opera, or other non-Microsoft browser.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts