Firefox 2.0.0.7 Fixes QuickTime Exploit

Mozilla released Firefox 2.0.0.7 on Tuesday. It provides a security fix for a QuickTime bug in Windows.

The formal fix descreiption is as follows: "MFSA 2007-28 Code execution via QuickTime Media-link files."

In more detail, QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options. The fix for MFSA 2007-23 was intended to prevent this type of attack but QuickTime calls the browser in an unexpected way that bypasses that fix. To protect Firefox users from this problem we have now eliminated the ability to run arbitrary script from the command-line, according to the Mozilla team.

The fix description does not appear to affect Mac OS X, however, Mac users may want to also download version 2.0.0.7 to be up to date.