DigitMemo.com

Six days after proof-of-concept code was released for a long-unpatched bug in Apple’s QuickTime media player, Firefox is updated with a fix.

Last week, Mozilla confirmed that a year-old unpatched vulnerability in Apple’s QuickTime media player opens up a backdoor that could allow a hacker to break into Firefox. A researcher who discovered the flaw posted proof-of-concept exploits for it on his blog.

Now a week later, Mozilla released Firefox 2.0.0.7 to patch the QuickTime vulnerability.

“This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple,” wrote Window Snyder, Mozilla’s top security executive, in her blog Tuesday. “This issue was patched in only six (or 6.25 according to John O’Duinn) days. When a vendor ships security fixes quickly, it lowers the incentive for attackers to spend time developing and deploying an exploit for that issue. The window of opportunity for attackers is reduced and so is the potential to compromise users. So thanks, you guys, for helping destroy the economics of malicious exploit development.”

The U.S.-CERT is recommending users update to the new release.

Petko D. Petkov, a penetration tester who discovered the bug, said in a blog post that the “vulnerability can lead to a full compromise of the browser and maybe even the underlying operating system.” Petkov released information about two QuickTime bugs a year ago, but noted that only one has been patched. The other remains a problem, especially for users of the open-source Firefox browser.

Apple issued at least three separate patch updates for QuickTime in the last several months.

Source: InformationWeek