Apple closes back door in QuickTime 7
Apple has released QuickTime 7.6.8 for Windows to close two critical security vulnerabilities in its media player. One of the holes is the vulnerability in QuickTime's ActiveX plug-in discovered by security expert Ruben Santamarta at the end of August: An undocumented parameter allowed attackers to inject and execute malicious code.
The update also addresses the DLL vulnerability under Windows already disclosed four weeks ago. Apple said that the previous version of QuickTime's Picture Viewer retrieved DLLs from the current working directory. The update removes the working directory from the list of DLL search paths.
The update is about 33 MB in size. However, Apple continues to offer the vulnerable version 7.6.7 when bundled with iTunes 10, released in early September. All users are advised to upgrade.
- About the security content of QuickTime 7.6.8, security advisory from Apple.
- iTunes 10 addresses 13 security vulnerabilities, a report from The H.