Apple Aims to Patch Persistent QuickTime Hole QuickTime 7.2 Update Looks to Fix Security Flaw Sean Michael Kerner
Apple's latest QuickTime update aims to fix a flaw that's persisted in the software for more than a year — despite efforts by the computer maker to address it throughout that time.
The company now hopes to put that flaw to bed with its new QuickTime 7.2 update. The release repairs a command-injection issue in the QuickTime application's handling of URLs, affecting Windows Vista and Windows XP SP2 users. According to Apple, Mac OSX users were not at risk from the flaw.
"By enticing a user to open a specially crafted QTL file, an attacker may cause an application to be launched with controlled command-line arguments, which may lead to arbitrary code execution," Apple said in an advisory about the flaw.
The same issue apparently could have been triggered in Mozilla Firefox, when the browser calls a QuickTime file. Mozilla fixed the issue last month with the Firefox 2.0.0.7 release.
Apple's update attempts to repair a problem that's been on the company's fix-it list for more than a year. The company first attempted to fix the issue in March with its QuickTime 7.1.5 update. That release sought to plug holes that made headlines in January, in connection with a month-long effort by two security researchers to detail Apple-related vulnerabilities, dubbed the Month of Apple Bugs project.
But the flaw is thought to be even older. The problem evidently dates back as far as September 2006, when security researcher Petko Petkov raised the alarm about arbitrary code execution vulnerabilities related to URL handling in QuickTime.
