Firefox users had a recent rude awakening about a vulnerability in the way Apple’s QuickTime plug-in interacts with their Web browser. Far from grumbling, however, Mozilla supporters say their patch for the vulnerability says more about Mozilla’s strengths than its browser’s weakness.
“It seems that QuickTime media formats can hack into Firefox,” wrote security investigator Petko Petkov, a post that sent Mozilla’s community developers into action to come up with a solution.
The bug presented risks of data theft and malware. Mozilla’s spokesperson publicly recognized that the issue was serious.
Empathy at Opera
Opera, a second-row contender to diva browsers Internet Explorer and Firefox, is not gloating over Mozilla’s bug flap, however.
“We can say that it proves that making a Web browser is a complicated business,” Thomas Ford, Opera global communications manager, told LinuxInsider.
“We have always felt a responsibility for keeping our users as safe as we can. Having to account for third-party plug-ins and applications makes this trickier,” he said.
Mozilla developers immediately closed ranks to come up with a solution. “To protect Firefox users from this problem we have now eliminated the ability to run arbitrary script from the command-line,” Mozilla announced Tuesday.
“Other command-line options remain, however, and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime,” the announcement said.
One of the Mozilla stormtroopers is Giorgio Maone, a Palermo, Italy, software developer who is the author of NoScript, which blocks malicious script.
“When the recent QuickTime-based exploit pointed out that the problem had not been entirely addressed, NoScript users were still entirely safe,” Maone told LinuxInsider.
Mozilla developers, in reaching their solution, came up with an approach similar to NoScript’s, according to Maone.
Mozilla’s advisory pointed out that the “NoScript add-on, however, has provided protection against this class of attack since the cross-browser vulnerabilities were discovered.”
NoScript has a “forbid other plug-ins” option that allows users to choose sites they trust. Executable content runs only from trusted domains of choice. “NoScript’s commitment is providing maximum security for users who want a flexible tool allowing them to stay in control and choose the sites that can run programs inside their browsers,” Maone said.
The incident proves that the Mozilla community can rise to the occasion of a bug threat promptly. “A six-day timeframe to patch this bug is a glaring testament to the unparalleled reactivity of Mozilla developers,” Maone said.
“Mozilla developers chose to put their strongest efforts in working around it. This tells a lot about the responsibility and commitment of the Mozilla community when users’ safety is at stake,” he said. “Another vendor could have just blamed Apple.”