In association with heise online

30 April 2008, 17:02

QuickTime leak allows trojans to be injected

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

In the Gnucitizen Blog Petko Petkov (pdp) reports a security vulnerability in Apple QuickTime that allows attackers to inject arbitrary code using manipulated files, web sites, or email attachments. Apple has yet to release an updated version of the software to patch the hole.

In line with Responsible Disclosure policy, Petkov has not published details in order to give Apple time to provide a patch. He has, however, uploaded a video to YouTube that demonstrates how he can launch the Windows calculator, WordPad, and Paint by opening a file with QuickTime. In the video, Petkov demonstrates the flaw both on Windows XP SP2 and Windows Vista with Service Pack 1.

QuickTime users are advised to refrain from opening files from untrusted sources until Apple has released an update. QuickTime browser plugins should also be disabled to prevent the flaw being automatically exploited should a malicious web site be visited.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit