Skip to main content

Apple QuickTime security bug hits Windows

Security researchers are this morning panning Apple Inc. for a security problem which affects Windows.

Wintercore’s Ruben Santamarta claims Apple has failed to clean up some old code nested within QuickTime which can leave Internet Explorer vulnerable to yet another of the Microsoft browser’s long line of potential attacks.

The exploit is simple to execute just by tricking a user into visiting a malicious site hosting the exploit code, a so-called “drive-by” attack.

The attack code works when someone browses with IE on a machine running Windows XP, Vista or Windows 7 that has QuickTime 7.x or the older QuickTime 6.x installed.

Apple patched QuickTime for Windows on August 11 (version 7.6.7).The exploit works because Apple didn’t tidy up QuickTime’s code after developers dropped the “_Marshaled_pUnk” function, something the researcher attributes to human error.

“Although this functionality was removed in newer versions, the parameter is still present,” Santamarta wrote. “Why? I guess someone forgot to clean up the code.”

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel