Apple patches zero-day QuickTime flaw with 7.6.8 release

Share this article:

Apple on Wednesday released a new version of QuickTime to plug two vulnerabilities, including a zero-day flaw that is being actively exploited simply by tricking a victim into visiting a web page.

Version 7.6.8 closes the flaw, publicly revealed in late August by Spanish researcher Ruben Santamarta and affecting versions 6 and 7 of QuickTime. Santamarta, who works for Madrid-based security firm Wintercore, said the flaw is able to bypass two built-in Windows security features: Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). He successfully tested the exploit on Windows 7, Vista and XP machines.

"An optional parameter '_Marshaled_pUnk' may be passed to the ActiveX control to specify an arbitrary integer that is later treated as a pointer," according to the Apple advisory. "Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution."

The same bug was reported to Apple by TippingPoint's Zero Day Initiative on June 30 — two months prior to Santamarta's release — but it was never fixed, tweeted Aaron Portnoy, who manages the security research team at TippingPoint.

Apple credited TippingPoint, not Santamarta, with the find.

A Websense spokesman told SCMagazineUS.com last week that exploits taking advantage of the flaw are not currently widespread but "definitely present."

Wednesday's QuickTime update also addresses a vulnerability in the Picture Viewer that could be exploited to execute arbitrary code if a victim views an image in a malicious directory.

Both of the patched flaws affect Windows 7, Vista and XP Service Pack 2. Mac OS X systems are not impacted.


Share this article:

Sign up to our newsletters

More in News

New backdoor 'Baccamun' spreads through ActiveX exploit

Symantec researchers revealed that the backdoor is dropped after attackers exploit a Windows ActiveX vulnerability.

Outdated browsers put U.K. users at risk of malware

A blog post on Check and Secure website said 70 percent of U.K. users haven't fully updated their internet browsers

Survey: 53 percent change privileged logins quarterly

A Lieberman Software survey highlights the issue or poor password management, even among security pros.