Backdoor discovered in QuickTime
Security expert Ruben Santamarta has discovered an undocumented parameter in QuickTime's ActiveX plug-in that allows attackers to reportedly inject malicious code. For an attack to be successful, victims only have to visit a specially crafted website. The attacker adds an object pointer to the
_Marshaled_pUnk parameter and submits it to the plug-in, causing QuickTime to access functions in third-party DLLs. Santamarta's exploit is able to bypass the Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) mechanisms of Windows 7 and Vista.
_Marshaled_pUnk parameter is a remnant of a function Santamarta last discovered in a 2001 version of QuickTime. Although Apple removed the function in later versions, it appears that the pertaining parameter was overlooked. As the parameter was implemented intentionally rather than being the result of a programming error, Santamarta said the issue is strictly speaking a backdoor.
Vulnerable versions include QuickTime 7.x, 6.x and potentially earlier versions in combination with Windows XP up to Windows 7. No update has become available. Currently, the only protective measure is to prevent the ActiveX control from executing – for instance, by disabling the plug-in via the add-on management feature in Internet Explorer, by setting the kill bit, or by using a different browser.