FireFox Unpatched Still ... 1 Year later Vista News Discuss FireFox Unpatched Still ... 1 Year later in the Windows Vista forums; Unpatched QuickTime bug threatens Firefox by Jose Vilches on September 14, 2007, 12:19 PM | Security researcher Petko D. Petkov has released details on a year-old vulnerability in Apple'...

[Snuffy]

Unpatched QuickTime bug threatens Firefox
by Jose Vilches on September 14, 2007, 12:19 PM |
Security researcher Petko D. Petkov has released details on a year-old vulnerability in Apple's QuickTime media player that can cause Firefox to install backdoors and other malware on a fully patched computer.


"On its own, the QuickTime issue is less critical. […]Firefox is not vulnerable either. But when put together, they create a very dangerous combination," said Petkov.

According to Petkov, the current version of QuickTime contains a flaw in its Media Link function, which enables the program to parse up to 60 different file types with a compatible extension. However, because it fails to sanitize the XML content, malicious code can be pasted into media files and executed in JavaScript form. The exploit can reportedly bypass 'chrome' privileges in Firefox and its built-in security features. The researcher posted proof-of-concept code that shows how the exploit can be used to run privileged code on an unsuspecting user's computer.

Mozilla security chief Window Snyder has confirmed this is a “very serious issue” for Firefox users and said it is working with Apple on a fix, but until that happens users are advised to disable the QuickTime plug-in.
---------------------------------------------------------------
Oh Yes, you Fire Fox ppl want a link ... http://www.techspot.com/news/27034-u...s-firefox.html
I use neither one... Whee am I glad...

[Vistanoob]

Good to know! I use Firefox, but not the quicktime plug-in. Scary news for users of both.
What browser do you use?

[Snuffy]

IE 7. with Pro addon...

I'm sort of old fashion guy, if I drive a Ford, I do not take it to the Chey garage for service, even tho I do not like the Mechanic at Ford...

It to me is rather HARD to Beta test for MS and not use there products...

[Vistanoob]

Good point!
Firefox just automatically updated and patched the Quick Time hole, so that is a relief, as I had also read about it in a recent PC World mag. I would start a new thread but I'm not sure what to include.
The new version is 2.0.0.7 The article is at PCWorld.