Apple has patched a year-old QuickTime flaw attackers could exploit to launch arbitrary applications on targeted computers with controlled command-line arguments.
The fix applies to machines running QuickTime version 7.2 and Windows Vista and XP SP2. Mozilla updated its Firefox browser last month to address the flaw.
According to a Symantec DeepSight threat management service advisory, the problem surfaces when QuickTime attempts to handle URIs in the 'qtnext' field in .qtl files. "When attempting to handle specially-crafted .qtl files, arbitrary applications on the victim's computer may be launched with attacker-controlled command-line arguments," the advisory said. "Successfully exploiting this issue facilitates the remote compromise of affected computers."
Apple said in its QuickTime 7.2 security advisory: "A command injection issue exists in QuickTime's handling of URLs in the qtnext field in QTL files. By enticing a user to open a specially crafted .qtl file, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved handling of URLs. This issue does not affect Mac OS X."
This is the second time Apple has tried to close the QuickTime security hole. Apple tried to address the problem earlier this year in the release of QuickTime 7.1.5, but the fix fell short. Researches Petko D. Petkov and Aviv Raff released proof-of-concept exploits to demonstrate how QuickTime was still vulnerable to attack.