Apple Aims to Patch Persistent QuickTime Hole
Bug identified over a year ago gets quashed in security update.
Apple's latest QuickTime update aims to fix a flaw that's persisted in the software for more than a year -- despite efforts by the computer maker to address it throughout that time.
The company now hopes to put that flaw to bed with its new QuickTime 7.2 update. The release repairs a command-injection issue in the QuickTime application's handling of URLs, affecting Windows Vista and Windows XP SP2 users. According to Apple, Mac OSX users were not at risk from the flaw.
"By enticing a user to open a specially crafted QTL file, an attacker may cause an application to be launched with controlled command-line arguments, which may lead to arbitrary code execution," Apple said in an advisory about the flaw.
The same issue apparently could have been triggered in Mozilla Firefox, when the browser calls a QuickTime file. Mozilla fixed the issue last month with the Firefox 188.8.131.52 release.
Apple's update attempts to repair a problem that's been on the company's fix-it list for more than a year. The company first attempted to fix the issue in March with its QuickTime 7.1.5 update. That release sought to plug holes that made headlines in January, in connection with a month-long effort by two security researchers to detail Apple-related vulnerabilities, dubbed the Month of Apple Bugs project.