QuickTime leak allows trojans to be injected
In the Gnucitizen Blog Petko Petkov (pdp) reports a security vulnerability in Apple QuickTime that allows attackers to inject arbitrary code using manipulated files, web sites, or email attachments. Apple has yet to release an updated version of the software to patch the hole.
In line with Responsible Disclosure policy, Petkov has not published details in order to give Apple time to provide a patch. He has, however, uploaded a video to YouTube that demonstrates how he can launch the Windows calculator, WordPad, and Paint by opening a file with QuickTime. In the video, Petkov demonstrates the flaw both on Windows XP SP2 and Windows Vista with Service Pack 1.
QuickTime users are advised to refrain from opening files from untrusted sources until Apple has released an update. QuickTime browser plugins should also be disabled to prevent the flaw being automatically exploited should a malicious web site be visited.
- QuickTime 0day for Vista and XP, warning in the Gnucitizen Blog by pdp
- Video demonstration of the vulnerability on YouTube