The unpatched vulnerability could allow remote execution of code, according to an advisory published on Monday by eEye Digital Security. It affects various versions of Apple QuickTime running on all types of operating systems, the company said, but did not specify which versions in particular were at risk.
eEye said it notified Apple of the flaw on October 31, when it outlined vulnerabilities that were not addressed in Apple's update of October 12. The security company issued a follow-up public advisory on November 3, said Mike Puterbaugh, the senior product marketing director at eEye.
"We don't feel this flaw could result in an Internet worm, as it does require end-user interaction (such as clicking on a link to a malicious Web site or chat session). The affected component is, however, enabled by default," Puterbaugh said.
This newly discovered flaw could allow an attacker to launch remotely executable code, posing as the logged-in user. An intruder, for example, could access and do everything that a user could do on his computer. If the user had administrator rights, the hacker could also access everything that the administrator could.
"The Apple flaw works with their latest version of QuickTime," said Steve Manzuik, eEye product manager. "The only similarity with the earlier flaws is it's in QuickTime."
Apple's earlier patch, version 7.0.3, addressed vulnerabilities found in QuickTime 6.5.2 and 7.0.1 for the Mac OS X operating system and some versions running on Windows. One of those flaws allowed a malicious attacker to launch a denial-of-service attack, while the other three flaws allowed an attacker to remotely execute code and take over users' computers.
Apple has acknowledged receipt of eEye's advisory, but gave no indication of when, or if, it plans to patch the flaw. "It is something they will undoubtedly have to patch," Manzuik said.
