Company issues new update for QuickTime vulnerability
Mozilla has issued a new fix for a Firefox vulnerability which it had supposedly patched in July.
The vulnerability lies in the way Firefox handles JavaScript code in QuickTime files, such as .mov and .mp3. Malicious code could be disguised as a media file which would be launched in Firefox via QuickTime.
The code would then be able to run with the privileges of the current user, possibly leading to a malware installation or data theft.
The flaw was originally reported in July as a cross-browser attack between Internet Explorer and Firefox. Mozilla reacted quickly, issuing a fix four days later.
However, security researcher Petko D. Petkov found that neither Apple nor Mozilla had completely plugged the hole, and that Firefox remained vulnerable to a serious attack. Petkov posted code and working samples of the attack in a blog entry.
Mozilla noted that the latest fix will prevent attackers from executing the commands that could allow for full system access and remote code execution.
But the company warned that the QuickTime issue remains, and that the flaw could still be used to flood users with pop-ups and dialogue boxes.
Spokespersons for Apple did not immediately return a request for comment. The company does not normally discuss security issues until a fix has been released.
Petkov said that Internet Explorer 7 was also found to be vulnerable, but noted that the browser's security controls limit the effectiveness of the attack. Internet Explorer 6 is not affected.
Mozilla has issued a new fix for a Firefox vulnerability which it had supposedly patched in July.
The vulnerability lies in the way Firefox handles JavaScript code in QuickTime files, such as .mov and .mp3. Malicious code could be disguised as a media file which would be launched in Firefox via QuickTime.
The code would then be able to run with the privileges of the current user, possibly leading to a malware installation or data theft.
The flaw was originally reported in July as a cross-browser attack between Internet Explorer and Firefox. Mozilla reacted quickly, issuing a fix four days later.
However, security researcher Petko D. Petkov found that neither Apple nor Mozilla had completely plugged the hole, and that Firefox remained vulnerable to a serious attack. Petkov posted code and working samples of the attack in a blog entry.
Mozilla noted that the latest fix will prevent attackers from executing the commands that could allow for full system access and remote code execution.
But the company warned that the QuickTime issue remains, and that the flaw could still be used to flood users with pop-ups and dialogue boxes.
Spokespersons for Apple did not immediately return a request for comment. The company does not normally discuss security issues until a fix has been released.
Petkov said that Internet Explorer 7 was also found to be vulnerable, but noted that the browser's security controls limit the effectiveness of the attack. Internet Explorer 6 is not affected.
Share this page
Email this page
Back to Top
Home
Edit Post
0 comments: