Wednesday, September 17, 2008

Hacker Posts QuickTime Zero-Day Attack Code

Gregg Keizer writes on ComputerWorld:

A hacker has released attack code that exploits an unpatched vulnerability in Apple Inc.'s QuickTime, just a week after the company updated the media player to plug nine other serious vulnerabilities, a security researcher said today.

The exploit, which was published on the site Tuesday, takes advantage of a flaw in the "< ? quicktime type= ? >" parameter in QuickTime, which is not prepared to handle excessively-long strings, said Aaron Adams, a researcher with Symantec Corp.'s DeepSight threat notification network.

"Symantec is currently investigating this flaw further to determine the underlying technical details," said Adams in a research note today.

In its present form, the exploit triggers a QuickTime crash, but it may be more serious. "The exploit suggests that code execution may be possible," Adams added, "[and] if this flaw were to allow arbitrary code to run, it may pose a significant risk, because attackers may be able to exploit the issue by embedding a malicious file into a site."

More here.


Post a Comment

<< Home