Vulnerability Management

Active exploits targeting Apple QuickTime 0-day

Story updated on Wednesday, Sept. 8 at 5:34 p.m. EST

Attackers are now actively exploiting a recently published zero-day vulnerability in Apple QuickTime, security firm Websense disclosed Tuesday.

The flaw, details of which were revealed last week by Spanish researcher Ruben Santamarta, affects versions 6 and 7 of QuickTime and can be exploited simply by tricking a victim into visiting a malicious web page.

Santamarta, who works for Madrid-based security firm Wintercore, said in his post that the flaw is able to bypass two built-in Windows security features: Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). He successfully tested the exploit on Windows 7, Vista and XP machines.

The same bug was reported to Apple by TippingPoint's Zero Day Initiative on June 30 — two months prior to Santamarta's release — but it was never fixed, tweeted Aaron Portnoy, who manages the security research team at TippingPoint.

A Websense spokesman told later Wednesday that exploits taking advantage of the flaw are not currently widespread but "definitely present."

An Apple spokesperson did not respond Wednesday to a request for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.