Window Snyder, Mozilla Security Office has confirmed the vulnerability affecting the QuickTime plugin on Firefox and informed that Mozilla is already working on a patch with Apple.

Work in progress is being tracked on bug 395942 (thanks Jesse for pointing out). Among other findings, further analysis revealed the vulnerability affects Windows users only (not that it’s a small number, but…) and that QuickTime makes a direct call to the identified default browser instead of using a Windows API which would prevent an attack attempt like this.

While Mozilla is working with Apple, it is also evaluating the possibility of limiting the scope of the -chrome command line parameter to only internal URLs like chrome:// and resource://; or even removing the parameter completely.

The -chrome parameter allows to start Firefox with a different interface as the default. For example running firefox -chrome chrome://browser/content/bookmarks/bookmarksManager.xul starts Firefox but with just the Bookmark Manager window. This provides some convenient options like starting ChatZilla or FireFTP as “stand alone” applications.

However, there are some other uses beyond convenience including some automated tests performed as part of  the quality assurance process. So a partial limitation could be the best way to go.

It remains unknown when could the change be in place. Next Firefox update, 2.0.0.7, is scheduled for early October and there may be time enough for a related fix to get in.