Wed, Sep 19 2007 9:40
Mozilla Foundation Security Advisory 2007-28
On his blog Petko D. Petkov
reported that QuickTime Media-Link files contain a
attribute that could be used on Windows systems to launch the default browser
with arbitrary command-line options. When the default browser is
Firefox 18.104.22.168 or earlier use of the
-chrome option allowed a remote
attacker to run script commands with the full privileges of the user. This
could be used to install malware, steal local data, or otherwise corrupt
the victim's computer.
The fix for MFSA 2007-23 was intended
to prevent this type of attack but QuickTime calls the browser in an
unexpected way that bypasses that fix. To protect Firefox users from
this problem we have now eliminated the ability to run arbitrary script
from the command-line. Other command-line options remain, however,
and QuickTime Media-link files could still be used to annoy users
with popup windows and dialogs until this issue is fixed
This QuickTime issue appears to be the one described by
CVE-2006-4965 but the fix Apple applied in QuickTime 7.1.5
does not prevent this version of the problem.
NOTE:Gran Paradiso Alpha 8 does not contain the fix
for this vulnerability.
attack; in vulnerable versions scripts passed through the
much as interpreters for languages such as perl and
Python execute scripts passed on the command line.
NoScript add-on, however, has provided protection against this class of
attack since the cross-browser vulnerabilities described by MFSA 2007-23
Filed under: Advisories / Bulletins