Mozilla has released a critical security update for Firefox that patches a vulnerability involving Apple’s QuickTime plugin reported last week due to a number of design flaws including interpreting command files (.qtl) named as media files (i.e. .mp3), not using OS level interfaces to call the default browser and allowing the use of insecure web addresses in parameters.

To prevent this and other possible attacks originating from similar poorly designed applications, Mozilla has opted for reducing some Firefox command line conveniences for the sake of security. In brief, the chrome parameter can’t be used with web addresses starting with javascript: or data:, which should be of very low impact for web developers and users.

According to the security notes for QuickTime 7.1.5, released earlier this year, the qtnext parameter in .qtl files should only allow http: and https: web addresses (file:// also for locally opened .qtl files). Had this protection been in place currently there would be no security vulnerability. We’ll have to wait for Apple to repatch this in the next QuickTime update.

As usual, you can wait for Firefox to prompt for the update within 48 hours or start it right away selecting Check for Updates… in the Help menu.