News Stay informed about the latest enterprise technology news and product updates.

Apple patches persistent QuickTime flaw

A year-old flaw in the popular Apple QuickTime media player has been fixed. The fix applies to Windows machines running the application.

Apple has patched a year-old QuickTime flaw attackers could exploit to launch arbitrary applications on targeted...

computers with controlled command-line arguments.

The fix applies to machines running QuickTime version 7.2 and Windows Vista and XP SP2. Mozilla updated its Firefox browser last month to address the flaw.

According to a Symantec DeepSight threat management service advisory, the problem surfaces when QuickTime attempts to handle URIs in the 'qtnext' field in .qtl files. "When attempting to handle specially-crafted .qtl files, arbitrary applications on the victim's computer may be launched with attacker-controlled command-line arguments," the advisory said. "Successfully exploiting this issue facilitates the remote compromise of affected computers."

Apple said in its QuickTime 7.2 security advisory: "A command injection issue exists in QuickTime's handling of URLs in the qtnext field in QTL files. By enticing a user to open a specially crafted .qtl file, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved handling of URLs. This issue does not affect Mac OS X."

This is the second time Apple has tried to close the QuickTime security hole. Apple tried to address the problem earlier this year in the release of QuickTime 7.1.5, but the fix fell short. Researches Petko D. Petkov and Aviv Raff released proof-of-concept exploits to demonstrate how QuickTime was still vulnerable to attack.

Dig Deeper on Productivity apps and messaging security

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.