Mozilla released an updated version of its browser on Tuesday to correct a critical QuickTime security vulnerability for which proof-of-concept code was available.
Firefox version 18.104.22.168 contains a patch for a Windows-based critical flaw that could lead to browser or complete system compromise, giving attackers the ability to "install malware, steal local data or otherwise corrupt the victim's computer," according to a Mozilla advisory.
The bug, revealed a week ago, is related to an error in the way Firefox handles the QuickTime plug-in, Apple's widely used multimedia platform for playing video and music files.
Discovered by Petko Petkov, founder of penetration-testing group Gnucitizen, the vulnerability can occur because earlier versions of Firefox permit the "–chrome" command-line option, which permits attackers to create malicious scripts.
A July patch was supposed to correct the flaw, "but QuickTime calls the browser in an unexpected way that bypasses the fix," according to Mozilla.
But Apple has failed to address the problem, which could lead to more command-line options enabling attackers to bombard users with pop-up windows and dialog boxes, Mozilla said.
Researchers said Firefox users need to upgrade as soon as possible.
"I looked at the exploit code and it was kind of a brain-dead thing to take and weaponise," Andrew Storms, director of security operations at nCircle, said. "It's easy enough to put one of these on a website. If you drive by, you get attacked."
An Apple spokeswoman could not be immediately reached for comment.