Old QuickTime flaw exposes IE

A zero-day vulnerability in Apple QuickTime that could allow a remote attacker to take over a computer running Internet Explorer has been reported by security researchers.

The flaw bypasses two commonly used security measures on Windows systems: address space layout randomisation (ASLR) and data execution prevention (DEP), according to Ruben Santamarta, a researcher for Spanish security company Wintercore. "The exploit defeats ASLR+DEP and has been successfully tested on [Windows 7], Vista and XP," said Santamarta in security advisory on Monday.

Santamarta said that Windows 7, Vista and XP machines using IE are vulnerable if the user visits a malicious website. Apple QuickTime 7.x and 6.x code can be exploited through the browser and is vulnerable to an exploit that uses a heap-spraying technique, said the researcher. Heap spraying is a technique which tries to put bytes into the memory of a target process.

For more of this story, read Old QuickTime code leaves IE open to attack on ZDNet UK.