Apple patches zero-day QuickTime flaw with 7.6.8 release

Apple on Wednesday released a new version of QuickTime to plug two vulnerabilities, including a zero-day flaw that is being actively exploited simply by tricking a victim into visiting a web page.

Version 7.6.8 closes the flaw, publicly revealed in late August by Spanish researcher Ruben Santamarta and affecting versions 6 and 7 of QuickTime. Santamarta, who works for Madrid-based security firm Wintercore, said the flaw is able to bypass two built-in Windows security features: Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). He successfully tested the exploit on Windows 7, Vista and XP machines.

"An optional parameter '_Marshaled_pUnk' may be passed to the ActiveX control to specify an arbitrary integer that is later treated as a pointer," according to the Apple advisory. "Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution."

The same bug was reported to Apple by TippingPoint's Zero Day Initiative on June 30 — two months prior to Santamarta's release — but it was never fixed, tweeted Aaron Portnoy, who manages the security research team at TippingPoint.

Apple credited TippingPoint, not Santamarta, with the find.

A Websense spokesman told SCMagazineUS.com last week that exploits taking advantage of the flaw are not currently widespread but "definitely present."

Wednesday's QuickTime update also addresses a vulnerability in the Picture Viewer that could be exploited to execute arbitrary code if a victim views an image in a malicious directory.

Both of the patched flaws affect Windows 7, Vista and XP Service Pack 2. Mac OS X systems are not impacted.