Firefox Update Addresses QuickTime-triggered Vulnerability
Users of Firefox yesterday began receiving notices of the availability of version 22.214.171.124, which the Mozilla organization said addresses a vulnerability involving Apple's QuickTime plug-in. In BetaNews tests of the new version this afternoon, the vulnerability in question appears to have been fully patched.
As security consultant Petko D. Petkov demonstrated last week, that hole could be easily exploited on Windows XP-based systems where Firefox was the default browser. In his non-malicious example, Petkov was able to trigger Notepad and other non-harmful programs to run.
BetaNews tried several permutations of Petkov's exploit on Windows XP and Windows Vista systems where the recently patched Firefox 126.96.36.199 was the default browser. In each case, the exploit did not trigger an executable file to run; instead, a second copy of Firefox would run and pull up its usual home page.
As Mozilla security chief Window Snyder posted on her team's blog on Tuesday, as the patch was being prepared for release, "When a vendor ships security fixes quickly, it lowers the incentive for attackers to spend time developing and deploying an exploit for that issue. The window of opportunity for attackers is reduced and so is the potential to compromise users. So thanks you guys, for helping destroy the economics of malicious exploit development."
But as Petkov proclaimed last week, he had been trying to awaken Mozilla's attention to the existence of the basic trigger behind the exploit for as long as a whole year.
Rather than gloat about having catalyzed a solution to the problem, Petkov announced on his blog today that he had discovered a similarly highly vulnerable exploit involving Adobe PDF files. He has not yet revealed details, instead publicly requesting Adobe to contact him personally for more information.