ITSS-Advisory : MEDIUM : Apple : QuickTime : Arbitrary Code Execution

THREAT LEVEL
============
Medium.

INFORMATION
===========
Bulletins have been published on a vulnerability when QuickTime and
Firefox (set as the default browser) are installed on a computer.

Accessing a maliciously crafted QuickTime link (.qtl) may allow an
attacker to execute code on an affected computer. QuickTime links
may be accessed from local storage or when browsing a webpage.

More information is available at:
- https://www.auscert.org.au/render.html?it=8083 (login required)
- http://www.kb.cert.org/vuls/id/751808

Sample exploit code is publicly available.

AFFECTED PLATFORMS
==================
The following software on Windows and Mac OS X computers are affected:
- QuickTime 7.2 and prior.
- iTunes 7.4.1 and prior (QuickTime being a component of iTunes).
- Firefox 2.0.6 and prior.

ACTION
======
At present, there is no known official fix for this vulnerability.
AusCERT advises administrators of affected computers to consider
implementing the following countermeasures:

- disabling the QuickTime plugin in the browser.
http://kb.mozillazine.org/Issues_related_to_plugins

- Using the NoScript Firefox extension.
https://addons.mozilla.org/en-US/firefox/addon/722