From Mozilla Links
GNUCITIZEN, a “creative hacker organization”, has disclosed details on a severe security vulnerability affecting Firefox users that have installed the QuickTime plugin on Windows or Mac OS X, which at a minimum includes all iTunes users.
To make things worse, the QTL files can be renamed as .mp3, .mpg, .avi or any of a couple of dozen file formats QuickTime supports and it will handle them properly, easing the scenario for possible attacks.
The test cases posted by GNUCITIZEN are really scary: click on an mp3 and the QuickTime plugin tries to load the file which doesn’t exist so it quickly completes and launches Windows Calculator. But it could be any application with any parameter.
The article goes on to recommend the removal of QuickTime from your system. However for me that is not something I really want to do. Oddly enough I do use QuickTime quite frequently. A blog I frequent uses QuickTime videos and my internet based answering service uses QuickTime for the messages (although I could choose to download them as MP3). Further it is important to understand that is a QuickTime issue and it is NOT just isolated to Firefox and Windows. It also affects IE (but not as severely) and even the immortal Macs.
While bug 395942 was caught early enough that it could be patched in Firefox 220.127.116.11, what is one suppose to do in the mean time? You can go thru the process of removing QuickTime wait for new versions of Firefox and QuickTime and then reinstall. But there is a batter option, thanks to our friends on the CyberNet Forum. Turns out the NoScript extension will protect your from this vulnerability.