Apple released a security update for its QuickTime media player on Wednesday, patching a flaw that allows remote users to execute arbitrary code onto Windows PCs.
Security Update for QuickTime 7.2 for Windows patches the flaw on PCs running Vista and XP operating systems.
An attacker can take advantage of the flaw on unpatched machines by enticing the user to view a specially crafted QTL file, which can lead to arbitrary code execution.
The vulnerability exists in QuickTime's handling of URLs in the qtnext field of QTL files. The issue, which does not affect computers running Apple's Mac OS X operating system, is fixed through improved handling of URLs, according to Apple's advisory.
An Apple representative could not immediately be reached for comment.
In September, Mozilla patched a QuickTime flaw in Firefox that had been disclosed by researcher Petko Petkov earlier that month.
At the time Petkov explained that such files can contain malicious code, executable on remote machines.
“To sum up, QTL files can contain malicious JavaScript code that can take over some important network device when executed,” he said.
Amol Sarwate, director of the vulnerability research lab at Qualys, told SCMagazineUS.com today that attacks via media files are becoming more common.
“QuickTime and many of the media players today are embedded in many websites, so if you visit, they have animations, clips and music. So it affects not just home users, but corporate users as well,” he said. “This is part of the trend of new media type of attacks, meaning vulnerabilities or attacks that come via videos or music files. These new media types of attacks make use of social engineering or social networking websites.”
Security Update for QuickTime 7.2 for Windows patches the flaw on PCs running Vista and XP operating systems.
An attacker can take advantage of the flaw on unpatched machines by enticing the user to view a specially crafted QTL file, which can lead to arbitrary code execution.
The vulnerability exists in QuickTime's handling of URLs in the qtnext field of QTL files. The issue, which does not affect computers running Apple's Mac OS X operating system, is fixed through improved handling of URLs, according to Apple's advisory.
An Apple representative could not immediately be reached for comment.
In September, Mozilla patched a QuickTime flaw in Firefox that had been disclosed by researcher Petko Petkov earlier that month.
At the time Petkov explained that such files can contain malicious code, executable on remote machines.
“To sum up, QTL files can contain malicious JavaScript code that can take over some important network device when executed,” he said.
Amol Sarwate, director of the vulnerability research lab at Qualys, told SCMagazineUS.com today that attacks via media files are becoming more common.
“QuickTime and many of the media players today are embedded in many websites, so if you visit, they have animations, clips and music. So it affects not just home users, but corporate users as well,” he said. “This is part of the trend of new media type of attacks, meaning vulnerabilities or attacks that come via videos or music files. These new media types of attacks make use of social engineering or social networking websites.”