Apple has released security updates for Windows Vista and XP versions of QuickTime to fix a 13-month-old QuickTime flaw.

The bug was first reported in September 2006 by UK security researcher Petko Petkov but it seems Apple completely ignored it. The company shipped QuickTime 7.1.5 with a fix early this year, but failed to address the reported vulnerability.

This situation prompted Petkov to post proof-of-concept exploit in his blog last month. According to Petkov, “the result of this vulnerability can lead to full compromise of the browser and maybe even the underlying operating system.”

Days after the release of the proof-of-concept, Mozilla security chief Window Snyder acknowledged the risk for Firefox users and said “[We are] working with Apple to keep our users safe and we are also investigating ways to mitigate this more broadly in Firefox.” Later, Firefox issued a new version of its browse to block code execution attacks, ZD Net wrote.

Apple, for its part, recently acknowledged the flaw, which it said “allows malicious manipulation of QuickTime Media Link (.qtl) files may lead to arbitrary code execution.”

“A command injection issue exists in QuickTime’s handling of URLs in the qtnext field in QTL files. By enticing a user to open a specially crafted QTL file, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution,” Apple said.

The patched QuickTime can be downloaded from Apple’s site.

---

Related:

Microsoft issues wireless network Vista fixes

Negative Vista "reviews" in Apple ads not actually reviews

IE7 and Windows Mail in Vista to receive ‘critical’ fixes on Patch Tuesday

Animated cursor flaw patch due from Microsoft early

ANI flaw attacks on the rise with Vista patch unstable

Entry was posted on Thursday, October 4th, 2007 at 4:40 am under Security.  Print This Post

Read more entries by Ruben Francia.