Old vulnerability in Apple's QuickTime Player allows remote code execution for Windows systems (UPDATED)
First published: 2010-08-31
Updated: 2010-09-16
Yesterday the Spanish security researcher, Ruben Santamarta, posted Proof-of-Concept exploit code for a vulnerability in Apple's QuickTime Player.
He demonstrated how a nine year old unused parameter in QuickTime Player, known as _Marshaled_pUnk, could be used to take full control over Windows-based system with Live Messenger installed, and execute program code remotely.
Analysts agree that this is not a standard vulnerability in the sense of non-secure programming, but rather an oversight as program code used during development was left in the released program version (and still is there nine years after).
Only minutes before this advisory was written, exploit code was added to the open source Metasploit project, which is popular among security researchers as well as more dubious elements.
As of this writing there are no available security updates for QuickTime Player.
This security advisory will be updated when more information is available.
Update 16 September 2010
Apple has published QuickTime version 7.6.8. This update fixes the vulnerability mentioned above as well as another vulnerability in previous QuickTime versions.
More information is available from Apple's security article HT 4339.
Norman recommends QuickTime users to upgrade to the latest version.