Just weeks after Apple Inc. released a fix for three gaping security holes in its QuickTime media player, a private security research outfit has flagged another “high risk” flaw that remains unpatched.
Researchers at eEye Digital Security warned in a brief advisory that default installations of the QuickTime 7.0.3, the newest version, are vulnerable.
A spokesman for eEye told Ziff Davis Internet News the bug was reported to Apple on October 31.
Although the bug could be exploited remotely to launch executable code, a successful attack requires some user action.
“It requires that a maliciously created media file is played,” the eEye spokesman explained, noting that the flaw is unlikely to result in an Internet worm.
He said eEye supplied Apple with its preliminary research, which included confirmation of the flaw in QuickTime for Windows. eEye is doing additional research to determine if the Mac OS is affected.
A spokesman for Apple declined comment on the eEye advisory.
Word of the new vulnerability comes just days after an advisory from Apple detailed multiple QuickTime security flaws that could lead to remote code execution attacks.
Those bugs, fixed in QuickTime 7.0.3, were rated “highly critical.” In all, the media player upgrade fixed four vulnerabilities, the most dangerous being an integer overflow error in the handling of a “Pascal” style string when loading a “.mov” video file.
This can result in memory overwrite due to a large memory copy, potentially allowing arbitrary code execution via a specially crafted video file.