Old QuickTime code leaves IE open to attack

A zero-day vulnerability in Apple QuickTime that could allow a remote attacker to take over a computer running Internet Explorer has been reported by security researchers.

The flaw bypasses two commonly used security measures on Windows systems: address space layout randomisation (ASLR) and data execution prevention (DEP), according to Ruben Santamarta, a researcher for Spanish security company Wintercore.

"The exploit defeats ASLR+DEP and has been successfully tested on [Windows 7], Vista and XP," said Santamarta in security advisory on Monday.

Santamarta said that Windows 7, Vista and XP machines using IE are vulnerable if the user visits a malicious website. Apple QuickTime 7.x and 6.x code can be exploited through the browser and is vulnerable to an exploit that uses a heap-spraying technique, said the researcher. Heap spraying is a technique which tries to put bytes into the memory of a target process.

The flaw appears to be the result of Apple developers including old code in newer versions of QuickTime, according to Santamarta. The problem lies with the parameter for the QTPlugin.ocx functionality, which has been removed in later versions of QuickTime.

"I guess someone forgot to clean up the code," said Santamarta, who exposed a critical vulnerability in Java in April alongside Google security researcher Tavis Ormandy..

Santamarta added that code has been sent to the Metasploit project, a security project that develops tools for executing exploit code against target machines. Security researcher HD Moore told security company Kaspersky that the wide deployment of the QuickTime media player was one of the factors that could make malware authors keen to try to exploit the flaw.

"The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild," said Moore, who created Metasploit.

Apple had not responded to a request for comment at the time of writing.