14 DAY TRIAL // QuickTime 7.6.8 for Windows has been released to address two critical arbitrary code execution vulnerabilities, one of which was being actively exploited in the wild.
The first vulnerability, identified as CVE-2010-1818, is located in the QuickTime ActiveX control and can be leveraged to execute arbitrary code by tricking victims into visiting a maliciously crafted website.
"An optional parameter '_Marshaled_pUnk' may be passed to the ActiveX control to specify an arbitrary integer that is later treated as a pointer.
"This issue is addressed by ignoring the '_Marshaled_pUnk' parameter," Apple explains in its advisory.
The company credits HBelite for reporting the issue through TippingPoint's Zero Day Initiative program.
However, the vulnerability was also publicly disclosed by a Spanish researcher named Rubén Santamarta at the end of August.
According to a report from Web and email security vendor Websense, this led to the flaw being exploited by malicious attackers before a patch was available.
The second bug fixed in this QuickTime release enables so called remote binary planting or DLL hijacking attacks.
"If an attacker places a maliciously crafted DLL in the same directory as an image file, opening the image file with QuickTime Picture Viewer may lead to arbitrary code execution," the vendor notes.
This type of vulnerability affects hundreds of applications and stems from the way certain Windows API functions search for a library file when no full path is specified.
In this case the "working directory" takes precedence before other predefined locations, so the issue was addressed by completely removing it from the DLL search path.
QuickTime was not the only Apple product vulnerable to binary planting. The company has previously fixed a similar bug in Safari.
And with the recent revelation that this type of attack extends to .EXE files, the number of confirmed affected applications is only expected to grow.
QuickTime 7.6.8 for Windows can be downloaded from here.