Thursday, September 9, 2010

Quicktime 0-day drive-by exploit "in the wild"

Unless you absolutely have to have QuickTime (iTunes requires it), you're better off without it.  The VLC media player will play QuickTime media so you don't really need it.

Active exploits targeting Apple QuickTime 0-day - SC Magazine US
Attackers are now actively exploiting a recently published zero-day vulnerability in Apple QuickTime, security firm Websense disclosed Tuesday.

The flaw, details of which were revealed last week by Spanish researcher Ruben Santamarta, affects versions 6 and 7 of QuickTime and can be exploited simply by tricking a victim into visiting a malicious web page.

Santamarta, who works for Madrid-based security firm Wintercore, said in his post that the flaw is able to bypass two built-in Windows security features: Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). He successfully tested the exploit on Windows 7, Vista and XP machines.

... A Websense spokesman told SCMagazineUS.com later Wednesday that exploits taking advantage of the flaw are not currently widespread but "definitely present."

An Apple spokesperson did not respond Wednesday to a request for comment.

No comments: