Active exploits targeting Apple QuickTime zero-day

By on
Active exploits targeting Apple QuickTime zero-day

Flaw able to bypass two Windows security features.

Attackers are now actively exploiting a recently published zero-day vulnerability in Apple QuickTime, security firm Websense disclosed.

The flaw, details of which were revealed last week by Spanish researcher Ruben Santamarta, affects versions 6 and 7 of QuickTime and can be exploited simply by tricking a victim into visiting a malicious web page.

Santamarta, who works for Madrid-based security firm Wintercore, said in his post that the flaw is able to bypass two built-in Windows security features: Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). He successfully tested the exploit on Windows 7, Vista and XP machines.

The same bug was reported to Apple by TippingPoint's Zero Day Initiative on June 30 — two months prior to Santamarta's release — but it was never fixed, tweeted Aaron Portnoy, who manages the security research team at TippingPoint.

A Websense spokesman told SCMagazineUS.com yesterday that exploits taking advantage of the flaw are not currently widespread but "definitely present."

An Apple spokesperson did not respond to a request for comment.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?