Quicktime and Firefox vulnerability
"In practice I can do anything with the browser, like installing browser backdoors, and the operating system if the victim is running with administrative privileges. However, just for the sake of this demonstration, I simply open calc.exe. Keep in mind that the exploit is cross-platformed."
and
"Before we move on, I have to say a few things. Last year I disclosed two highly critical QuickTime vulnerabilities here and here. The first vulnerability was fixed but the second one was completely ignored. I tried to bring the spot light on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack."
Note that the exploit apparently also works in IE, but its impact is not as critical due to "due to the tightened security policies IE implements for local zone scripts".
Source: http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox
Mozilla's response:
"If Firefox is the default browser when a user plays a malicious media file handled by Quicktime, an attacker can use a vulnerability in Quicktime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in Quicktime. So far this is only reproducible on Windows.
Petkov provided proof of concept code that may be easily converted into an exploit, so users should consider this a very serious issue."
Source: http://blog.mozilla.com/security/2007/09/12/quicktime-to-firefox-issue/
The latest version of QuickTime is Version 7.2 - it is strongly recommended that you download and install this version from here. Sorry, but I can't cast my eye over the End User Licence Agreement because the link on the QuickTime download page is broken - good one Apple.