Apple has taken another swing at fixing a troublesome spate of QuickTime vulnerabilities.
The company released an update for the Windows version of QuickTime media player on Wednesday afternoon to patch what Apple calls a "command injection issue" in the way the media player handles URLs. The flaw, which affects Windows XP and Windows Vista, was first disclosed in September of 2006 by Petko D. Petkov, a penetration tester.
Petkov noted in a blog post this September that he reported two QuickTime bugs in the early fall of 2006. Only one, however, was patched. To bring attention to the year-old vulnerability, Petkov posted several proof-of-concept exploits on his blog last month.
At the time, the researcher wrote in his blog, Gnucitizen, that he posted a demonstration of how the bug could be used to hack into Firefox to make a point. "The first vulnerability was fixed, but the second one was completely ignored," he wrote. "I tried to bring the spotlight on the second vulnerability one more time over here, yet nobody listened. So, I decided to post a demonstration of how a Low risk issue can be turned into a very easy to perform HIGH risk attack."
Petkov also reported that the flaw was a particular problem for the Mozilla Foundation's open-source Firefox browser.
Mozilla soon confirmed that the year-old unpatched QuickTime vulnerability opens up a backdoor that could enable a hacker to break into Firefox. Then just six days after the proof-of-concept code was released, Mozilla updated Firefox to fix the problem. "This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple," wrote Window Snyder, Mozilla's top security executive, in her blog.
Now, nearly a month after the proof-of-concept code was posted, Apple has released a fix for the vulnerability.
Apple noted in an online advisory that by enticing a user to open a specially crafted QTL file, an attacker be able to execute malicious code on the machine. The company reported that it fixed the problem by improving URL handling.
The issue does not affect computers running Mac OS X even if they have a Firefox browser, according to Apple.
Apple has issued at least four separate patch updates for QuickTime in the last several months.
QuickTime is Apple's multimedia technology for dealing with video, sound, animation, text, and music. The technology is widely used. The highly popular iPod uses the iTunes media player, which people run on their PCs and Macs. ITunes, in turn, uses QuickTime.