Yesterday, Mozilla released Firefox 2.0.0.7 to fix a critical security issue related to QuickTime Media-link files.

This issue, first reported by Petko D. Petkov, could allow a remote attacker to launch Firefox with the privileges of the local user. This would allow the remote attacker to execute arbitrary code and could result in data corruption.

It should be noted that a fix included in Firefox 2.0.0.5 (MFSA 2007-23) was thought to have addressed this issue. Unfortunately, QuickTime behaves in an unexpected manner and bypasses that fix.

Mozilla has decided to remove the ability to run scripts from the command-line until such time as the QuickTime issues are addressed by Apple.