Article

Apple patches persistent QuickTime flaw

SearchSecurity.com Staff

Apple has patched a year-old QuickTime flaw attackers could exploit to launch arbitrary applications on targeted computers with controlled command-line arguments.

The fix applies to machines running

    Requires Free Membership to View

QuickTime version 7.2 and Windows Vista and XP SP2. Mozilla updated its Firefox browser last month to address the flaw.

According to a Symantec DeepSight threat management service advisory, the problem surfaces when QuickTime attempts to handle URIs in the 'qtnext' field in .qtl files. "When attempting to handle specially-crafted .qtl files, arbitrary applications on the victim's computer may be launched with attacker-controlled command-line arguments," the advisory said. "Successfully exploiting this issue facilitates the remote compromise of affected computers."

Apple said in its QuickTime 7.2 security advisory: "A command injection issue exists in QuickTime's handling of URLs in the qtnext field in QTL files. By enticing a user to open a specially crafted .qtl file, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved handling of URLs. This issue does not affect Mac OS X."

This is the second time Apple has tried to close the QuickTime security hole. Apple tried to address the problem earlier this year in the release of QuickTime 7.1.5, but the fix fell short. Researches Petko D. Petkov and Aviv Raff released proof-of-concept exploits to demonstrate how QuickTime was still vulnerable to attack.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: