Apple Patches QuickTime 13 Month Old Flaw
Apple updated Windows edition of QuickTime on October 3, 2007 to fix a-year old vulnerability that critics commented it did not notice at the time of patching its online media player in March 2007.
Apple has described the malevolent manipulation of the flaw in .qtl (QuickTime Media Link) files as an issue of command injection that relates to the manner in which media player deals with URLs.
If an attacker succeeds to make a user click on a crafty file, he may cause the launch of an application as per the controlled command arguments, thus allowing execution of arbitrary code. The new update fixes the issue by improving URL handling, Apple said through an advisory released on Oct 3, 2007. ZDNet published this in news the same day.
Apple has been trying to fix the vulnerability for the second time. Earlier in 2007, after the discussion of the bug in the Month of Apple Bugs project, Apple released QuickTime 7.1.5 equipped with a patch that, however, proved inadequate.
The patch influences people using QuickTime 7.2 running on XP SP2 and Windows Vista, and fixes vulnerability in CVE-2007-4673.
The update rectifies a QuickTime flaw when the computer runs Windows Vista, and Windows XP. This flaw was first reported by UK researcher Petko Petkov last year in September after he discovered it. In September 2007, Petkov posted on the Internet a proof-of-concept code for the flaw because Apple had not responded to his e-mail messages. A number of samples that were posted on the WorldWide Web encouraged a bug in the Firefox browser and another in the QuickTime to unleash a drive-by attack that could invisibly take over a computer.
About a week after the release of Petkov's exploit code, which influenced Firefox users, Mozilla issued an updated version of its open-source browser to prevent QuickTime's attacks for code execution.
Apple said the vulnerability is not in QuickTime's Mac OS X version.
The updated QuickTime is available for download from Apple's Website, or from the Software Update utility that comes with Apple's iTunes music and the Windows version of the player.
» SPAMfighter News - 17-10-2007