Network News

X My Profile
View More Activity

Firefox Update Fixes Apple QuickTime Flaw

Mozilla shipped an update on Tuesday to its Firefox Web browser that fixes a fairly dangerous security flaw introduced by Apple's QuickTime media player. The latest patched version is Firefox 2.0.0.7, and unless you're using an unsupported, older version of Firefox, the update should be downloaded and installed automatically.

ff2007.jpg

The vulnerability was discovered by researcher Petko D. Petkov, who last week published proof-of-concept code that showed how it could be used to install software or steal data from a Windows PCs just by getting a user to view a specially-crafted QuickTime movie or image.

Mozilla says this flaw appears to be the same one addressed in a previous QuickTime patch from Apple, but that the prior update does not fix this problem. While the Mozilla update fixes the security flaw for Firefox users, "the QuickTime Media-link files could still be used to annoy users with pop-up windows and dialogs until this issue is fixed in QuickTime," Mozilla said in its advisory.

This vulnerability remains unfixed for Internet Explorer users with QuickTime installed, and the flaw does not appear to affect Mac OS X systems.

By Brian Krebs  |  September 19, 2007; 12:05 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: The Threat of Reputation-Based Attacks
Next: TransUnion to Offer Credit Freeze In All U.S. States

Comments

Last year I was having so much trouble with Quicktime software triggering error messages in Symantec and Defender that I just purged every file I could locate on my hard drive that might possibly be construed as Quicktime-related. All the hassles stopped and life has continued without it. I use IE only to communicate with MS and Norton; Firefox is for everything else, which reduces my vulnerability to malware since SpywareBlaster is also on duty and AdAware does its thing.

Posted by: Grandma Linn | September 19, 2007 4:38 PM | Report abuse

I just downloaded and installed this new patch for firefox and now firefox doesn't work??
So I have to go back to using IE yukki!!

Posted by: Mike | September 19, 2007 6:49 PM | Report abuse

Yeah, the same thing happened to me--Firefox doesn't work for me now. Not happy.

Posted by: Bill Mulligan | September 19, 2007 7:38 PM | Report abuse

Same thing happened to me, and I can't figure it out. Very frustrating.

Posted by: Sarah Henderson | September 20, 2007 1:02 AM | Report abuse

same here, does not work going back to IE.

Posted by: Brock | September 20, 2007 2:37 AM | Report abuse

Firefox now freezes up at unexpected times. I even removed Quicktime from the HD. Not happy.

Posted by: Stephen | September 20, 2007 9:58 AM | Report abuse

How are other 3rd party browsers such as Opera affected by the Quicktime issue?

Posted by: Guy | September 20, 2007 10:11 AM | Report abuse

Why do you keep saying "the update should be downloaded and installed automatically." ?

I set software to stop phoning home and tell others to do the same; including Firefox. But I do keep watch on updates and valuable bloggie things such as yours.

Posted by: Anonymous | September 20, 2007 2:59 PM | Report abuse

Ever since this latest update, I've had problems with Firefox. Darned shame. I've transfered over to Netscape Navigator. No way I'm going back to IE, not with the grief I've had from it in the past, and Opera just doesn't do the job for me.
Thank you again, Mr Krebs, for timely advice and warnings, plus the commentors. At least I know WHY Firefox isn't doing it's stuff.

Posted by: Sarah | September 20, 2007 3:56 PM | Report abuse

Don't update Firefox if you're in a limited user account or you may have problems. Switch to admin.

If you've updated to the latest version but receive update messages, try removing the updates files per http://kb.mozillazine.org/Updates_reported_when_running_newest_version

Posted by: A | September 20, 2007 10:15 PM | Report abuse

>>>>Don't update Firefox if you're in a limited user account or you may have problems. Switch to admin.<<<<

It's about time that Mozilla starts fully supporting running their software under limited user accounts. In the meantime, if you are running XP Pro, log in as administrator, then surf to the /Program Files/Mozilla Firefox/ folder and add your limited user account to the ACL for that folder with "Modify" priveleges (right-click the folder, choose "Sharing and Security", click the "Security" tab, click "Add" if your user account name isn't already in the ACL, type in your user account name in the box, click OK, check "Modify" in the "Allow" column, then click OK.)

Yes, that opens you up to malware infecting your Mozilla Firefox folder. It's a trade-off. The *real* solution is for Mozilla to wake up already and allow their updater program to run under the System account, just like (most) AV updater programs do. If I can update my AV defs under a limited user account, there is no reason I shouldn't be able to update firefox as well.


Posted by: Anonymous | September 22, 2007 11:18 AM | Report abuse

If a normally installed copy of Firefox breaks, you can always use the portable version available at portableapps.com. In fact, you can use the portable version, running off your C disk (or any internal hard disk partition), as your regular version of Firefox, avoiding the need to "install" it at all.

I have been doing this for a long time and never had a problem updating Firefox, including the latest 2.007. Although I log onto Windows as an Admin class user, I front-end the portable Firefox with DropMyRights, so if I haven't had a problem installing Firefox updates, a limited Windows user also shouldn't have a problem.

Finally, the auto-install of Firefox updates is a configurable option, so it may not automatically self-update.

Posted by: Michael Horowitz | September 23, 2007 3:15 PM | Report abuse

Since the update I've had problems with firefox hanging and not responding to attempts to close. I've also noticed that It remains in the background using memory even after it has been closed down and restarts if you terminate it manually....What's that about huh!?

I was drawn to this by an error message when using Piriform CCleaner (great tool!)

"You must close Firefox/Mozilla to allow the Internet Cache to be cleaned." ...

Far as I knew I had! It doesn't seem to be running from start-up or services..So I'm foxed :(

Posted by: Paul R | October 5, 2007 1:36 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company