A buffer overrun vulnerability has been detected in the ActiveX component in Apple's QuickTime 5.0 media player, which is used to embed streaming media content in a Web page.

In an advisory security research firm @stake said the buffer overrun was caused by the way that the QuickTime ActiveX component handles the "pluginspage" field when parsed from a malicious remote or local HTML page.

The flaw could result in execution of arbitrary code, the company warned, urging users to upgrade immediately to the QuickTime 6, which contains a fix.


"To exploit this vulnerability, an attacker would need to get his or her target to open a malicious HTML file as an attachment to an email message, as a file on the local or network file system, or as a file via HTTP. Most likely this would be accomplished by embedding a link to a vulnerable web site in an email message or another web page. If the malicious HTML file is opened it will cause QuickTime to execute the arbitrary computer code contained within the HTML page," @stake warned.

The company, which notified Apple of the flaw before going public with the advisory, said Web sites that host the qtplugin.cab file should also upgrade to QuickTime 6. "You should never open attachments/web pages that come from unknown sources no matter how benign they may appear. Be wary of those that come from known sources," the company warned, noting that downloading the ActiveX component from any source is a major risk.

@stake said users could also set the "kill bit" for a known vulnerable ActiveX component by editing the registry to block Microsoft's Internet Explorer browser from executing the vulnerable component. (See directions here).

It is not the first time hackers have targeted popular media players to distribute malicious code. Earlier this year, RealNetworks warned of a security exploit affecting its RealPlayer 8 software.

That buffer overrun flaw, which was tagged as a "medium risk" was found in the Real Media file format which contained a variety of strings in its header. By manipulating the way a file is formatted, it is possible to overflow memory buffers, which store these strings. This could let an attacker run arbitrary code on a user's machine, the company warned.

Subsequent upgrades to the RealPlayer software contained fixes for that vulnerability. Buffer overrun bugs were also found in Microsoft's Windows Media Player versions 6.4 and 7.0. Those too have been fixed.