A security researcher has uncovered a new vulnerability in Apple QuickTime that can be used to bypass some security protections in Microsoft Windows.
According to Wintercore Security’s Ruben Santamarta, the bug seems to be the result of a parameter from an older version of QuickTime being mistakenly left in the code. The vulnerability can be exploited remotely on machines running Internet Explorer (IE) on Windows XP, Vista or Windows 7 with QuickTime versions 6x or 7x.
Santamarta’s findings can be read here.
“The exploit defeats ASLR+DEP and has been successfully tested on W7, Vista and XP,” he blogged. “A metasploit module should be available soon since I sent the exploit details … some days before releasing this advisory.”
Symantec advised that users worried about the issue can disable the QuickTime plug-in until a patch is available.