Windows vulnerability allowed scripted attacks
Apple has patched a flaw in QuickTime that could allow for remote attacks.
The fix addresses a vulnerability in the Windows Vista and XP versions of QuickTime, which is commonly installed as a browser plug-in or as a component of iTunes. OS X users are not affected.
Apple said that the problem concerns QuickTime Media Links (QTLs) which are often used to launch media files from browsers.
If a specially crafted QTL is launched, QuickTime can allow access to a command line which could then be used to execute malicious code.
Security researcher Petko D Petkov showed last month how a malformed QTL file could be placed within a web page and disguised as a movie or song file.
When clicked, the links would allow for JavaScript code to run with the privileges of the current user.
The researcher provided several proof-of-concept samples which caused vulnerable machines to display alert boxes, launch arbitrary applications and even shut down.
Although the Apple security notice does not specifically mention the report, a spokesperson confirmed that the fix addresses the flaw described by Petkov.
Users can obtain the update via the Software Update application or from Apple's support site.
Apple has patched a flaw in QuickTime that could allow for remote attacks.
The fix addresses a vulnerability in the Windows Vista and XP versions of QuickTime, which is commonly installed as a browser plug-in or as a component of iTunes. OS X users are not affected.
Apple said that the problem concerns QuickTime Media Links (QTLs) which are often used to launch media files from browsers.
If a specially crafted QTL is launched, QuickTime can allow access to a command line which could then be used to execute malicious code.
Security researcher Petko D Petkov showed last month how a malformed QTL file could be placed within a web page and disguised as a movie or song file.
When clicked, the links would allow for JavaScript code to run with the privileges of the current user.
The researcher provided several proof-of-concept samples which caused vulnerable machines to display alert boxes, launch arbitrary applications and even shut down.
Although the Apple security notice does not specifically mention the report, a spokesperson confirmed that the fix addresses the flaw described by Petkov.
Users can obtain the update via the Software Update application or from Apple's support site.
Share this page
Email this page
Back to Top
Home
Edit Post
0 comments: