Apple has patched a flaw in QuickTime that could allow for remote attacks.
The fix addresses a vulnerability in the Windows Vista and XP versions of QuickTime, which is commonly installed as a browser plug-in or as a component of iTunes. OS X users are not affected.
Apple said that the problem concerns QuickTime Media Links (QTLs) which are often used to launch media files from browsers.
If a specially crafted QTL is launched, QuickTime can allow access to a command line which could then be used to execute malicious code.
Security researcher Petko D Petkov showed last month how a malformed QTL file could be placed within a web page and disguised as a movie or song file.
The researcher provided several proof-of-concept samples which caused vulnerable machines to display alert boxes, launch arbitrary applications and even shut down.
Although the Apple security notice does not specifically mention the report, a spokesperson confirmed to vnunet.com that the fix addresses the flaw described by Petkov.
Users can obtain the update via the Software Update application or from Apple's support site.
Apple patches QuickTime flaw
By Shaun Nichols on May 3, 2007 10:40AM