Apple has released a new version of its popular QuickTime application to close three holes, one of which is a particularly dangerous flaw that was being actively exploited to install malicious code on victims' machines.
If an attacker can persuade someone to view a malicious RTSP movie, he can execute arbitrary code on a user's machine, according to Secunia, which labeled the vulnerability "extremely critical," its highest severity rating.
The vulnerability was unpatched for 20 days, according to eEye Digital Security.
Andrew Storms, director of security operations at nCircle, told SCMagazineUS.com today that his firm was following at least 12 websites hosting active exploits for the vulnerability.
He said this is further evidence that a shift is underway by attackers to target client software, such as QuickTime and other multimedia players.
"People have become accustomed to not opening attachments, and enterprises have gotten good at blocking inbound attacks," he said. "What they're going after is embedding malware into the client."
Symantec researchers have said the bug was being exploited in at least two active attacks, and hackers also published proof-of-concept code that targets users of virtual world Second Life.
The in-the-wild exploits begin with IFRAME code embedded on an erotic website, according to Symantec. This causes the browser to make a hidden request to another URL, which serves the exploit and installs the trojan downloader on a user's machine.
Meanwhile, the proof-of-concept for Second Life could enable an attacker to compromise the Second Life viewer and steal virtual assets by tricking players into viewing a malicious QuickTime video on the site.
The latest QuickTime version also resolves two previously unreported "highly critical" QuickTime vulnerabilities that could lead to remote DoS attacks, according to a Secunia advisory.
One of those flaws relates to malicious QTL (QuickTime link) files, while the other involves QuickTime's Flash media handler, according to Apple.
This was the first upgrade to version 7.3 since it was released last month to resolve a number of other security holes.
"It's certainly a great vector of choice," Storms said of QuickTime. "It's both Windows and Mac and it's embedded in iTunes. It's a huge target landscape to go after."
An Apple spokeswoman did not return a call for comment.