Hacker Posts QuickTime Zero-Day Attack Code
Gregg Keizer writes on ComputerWorld:
A hacker has released attack code that exploits an unpatched vulnerability in Apple Inc.'s QuickTime, just a week after the company updated the media player to plug nine other serious vulnerabilities, a security researcher said today.More here.
The exploit, which was published on the milw0rm.com site Tuesday, takes advantage of a flaw in the "< ? quicktime type= ? >" parameter in QuickTime, which is not prepared to handle excessively-long strings, said Aaron Adams, a researcher with Symantec Corp.'s DeepSight threat notification network.
"Symantec is currently investigating this flaw further to determine the underlying technical details," said Adams in a research note today.
In its present form, the exploit triggers a QuickTime crash, but it may be more serious. "The exploit suggests that code execution may be possible," Adams added, "[and] if this flaw were to allow arbitrary code to run, it may pose a significant risk, because attackers may be able to exploit the issue by embedding a malicious file into a site."