Yesterday we received reports about a flaw in Apple's QuickTime player. According to the reports, this flaw can potentially allow an attacker to exploit the user's machine through the browser by making it run arbitrary code without user interaction – a classic drive-by vulnerability.
Following a blog post by Ruben Santamata, the flaw apparently stems from the vulnerable file QTPlugin.ocx, which is part of the default QuickTime installation. According to the analysis, the flaw affects the latest version of QuickTime (7.67.75.0), as well as older versions of 7.x and 6.x.
The DLL file (QTPlugin.ocx) that holds the reported vulnerability is an ActiveX control used by Internet Explorer. Thus, the vulnerability applies only to that browser, not to any other browser.
We are currently looking into this report and are doing more analysis. We have also started searching for any malicious code on the Web that might emerge and take advantage of this vulnerability. Our customers are protected from attacks that use this vulnerability by ACE, which includes our generic shellcode analytics.
It's certainly not the first time that QuickTime has suffered from such vulnerabilities. One of the latest was CVE-2010-1799, which Apple has already managed to patch near the start of August.
We'll keep you updated on any developments.
View full post on Security Labs
Related Posts
- Apple patches 15 QuickTime bugs in Leopard, Windows
Apple on Tuesday patched 15 vulnerabilities in its QuickTime media player for Windows and Mac OS X 10.5, aka Leopard. - on Computerworld Security News... - Apple QuickTime 7.6.9 Fixes 15 Vulnerabilities
A new version of Apple QuickTime fixes 15 vulnerabilities, nearly all critical.
All 15 fixes affect the Windows versions of QuickTime. 13 of them affect the Mac version as well.
14 vulnera... - Apple patches months-old QuickTime bugs
Apple patched a critical vulnerability in QuickTime on Wednesday that was reported to the company by a bug bounty program months ago.
View full post on Computerworld Security News... - Apple Updates QuickTime for Windows, Kills Two Bugs
Apple has released QuickTime 7.6.8 for Windows, fixing 2 vulnerabilities limited to the Windows version.
The first was the famous (in some circles) '_Marshaled_pUnk' vulnerability. Apple had... - Quicktime 0-day actively used in the wild
Following our recent posting of an Apple Quicktime 0-day vulnerability, Websense Security Labs™ ThreatSeeker™ Network has discovered exploitation of this vulerability in the wild... - Apple had two months to fix critical QuickTime bug, says researcher
A critical bug in QuickTime was reported to Apple two months before a second researcher independently revealed the vulnerability this week, the director of a bug bounty program said Friday.
View fu... - Apple QuickTime potential vulnerability/backdoor, (Mon, Aug 30th)
A vulnerability/backdoor in Apple Quicktime has been announced, and we are keeping an eye on it.
Cheers,
Adrien de Beaupr
EWA-Canada.com
(c) SANS Internet Storm Center. http://isc.sans.org Crea... - Old Apple QuickTime code puts IE users in harm’s way
Apple's failure to clean up old code in QuickTime leaves people running Internet Explorer vulnerable to drive-by attacks, a Spanish security researcher said today.
View full post on Computerworld S... - Apple Patches QuickTime for Windows
Apple has issued QuickTime version 7.6.7 for Windows to fix a vulnerability in that product. The Mac version of QuickTime is not affected.
View full post on PCMag.com Security Coverage... - Apple Fixes QuickTime for Windows
Apple has issued QuickTime version 7.6.7 for Windows to fix a vulnerability in that product. The Mac version of QuickTime is not affected.
The vulnerability is a stack overflow in QuickTime'...
Posted on 01 September 2010. Tags: 0day, Apple, QuickTime
