Last Updated: 2007-09-19 13:18:57 UTC
by Maarten Van Horenbeeck (Version: 1)
Mozilla has issued a security update for Firefox. It resolves a new exploitation pathway for the MFSA 2007-23 advisory. As you may recall, this dealt with the way Internet Explorer could invoke either Firefox or Thunderbird. These applications support a "-chrome" option, which allows loading of a specified Chrome, but could also allow code execution.
The new fix now removes the ability to run arbitrary scripts from the command line. It was implemented specifically due to a finding in QuickTime media-link files. A 'qtnext' attribute allowed the passing of parameters to a web browser which would be invoked upon finalizing playing of the media file.
We strongly advise you to install the updated version if you have any form of the QuickTime plugin installed.