Mozilla Updates Firefox To Patch QuickTime Bug

Six days after proof-of-concept code was released for a long-unpatched bug in Apple's QuickTime media player, Firefox is updated with a fix.

Sharon Gaudin, Contributor

September 19, 2007

2 Min Read
InformationWeek logo in a gray background | InformationWeek

Trying to fend off attacks aimed at Apple's QuickTime media player that could hurt Firefox, Mozilla pushed out a new version of its Web browser.

Last week, Mozilla confirmed that a year-old unpatched vulnerability in Apple's QuickTime media player opens up a backdoor that could allow a hacker to break into Firefox. A researcher who discovered the flaw posted proof-of-concept exploits for it on his blog.

Now a week later, Mozilla released Firefox 2.0.0.7 to patch the QuickTime vulnerability.

"This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple," wrote Window Snyder, Mozilla's top security executive, in her blog Tuesday. "This issue was patched in only six (or 6.25 according to John O'Duinn) days. When a vendor ships security fixes quickly, it lowers the incentive for attackers to spend time developing and deploying an exploit for that issue. The window of opportunity for attackers is reduced and so is the potential to compromise users. So thanks, you guys, for helping destroy the economics of malicious exploit development."

The U.S.-CERT is recommending users update to the new release.

Petko D. Petkov, a penetration tester who discovered the bug, said in a blog post that the "vulnerability can lead to a full compromise of the browser and maybe even the underlying operating system." Petkov released information about two QuickTime bugs a year ago, but noted that only one has been patched. The other remains a problem, especially for users of the open-source Firefox browser.

The researcher said in his blog, Gnucitizen, that he posted a demonstration of how the bug could be used to hack into Firefox to make a point. "The first vulnerability was fixed, but the second one was completely ignored," he wrote. "I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened."

Apple issued at least three separate patch updates for QuickTime in the last several months.

QuickTime is Apple's multimedia technology for dealing with video, sound, animation, text, and music. The technology is widely used. The highly popular iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.

Read more about:

20072007

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights