Running QuickTime 7.2 on Windows? Well, you better read this

You wouldn't want to run an arbitrary code execution on your PC, now would you?

I hear the reaction out there. "Of course not."

If you are in the "of course not" camp, you will want to know that Apple's just posted a downloadable security update for QuickTime 7.2 for Windows Vista and XP.

The update fixes an arbitrary code execution vulnerability that could be sparked by a maliciously crafted QTL file.

Apple says:

A command injection issue exists in QuickTime's handling of URLs in the qtnext field in QTL files. By enticing a user to open a specially crafted QTL file, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved handling of URLs. This issue does not affect Mac OS X.

Here's what Apple tells you to do:

Security Update for QuickTime 7.2 may be obtained from the Software Update application, or from the Apple Downloads site.

If Apple Software Update is not already running in Windows, you can open it from the Start menu under "All Programs". By default it is installed at

C:\Program Files\Apple Software Update\SoftwareUpdate.exe

To verify that your version of QuickTime has been updated:

For Windows XP:

• In Windows Explorer, navigate to C:\ProgramFiles\QuickTime\QTSystem\QuickTime.qts
• Right click on QuickTime.qts, select Properties, then click the Versions tab.
If the QuickTime version is 7.2.0.245 or later, then the security update has been applied.

For Windows Vista:

• In Windows Explorer, navigate to C:\ProgramFiles\QuickTime\QTSystem\QuickTime.qts
• Right click on QuickTime.qts, select Properties, then click the General tab.
If the "Date Created" indicates September 21, 2007 or later, then the security update has been applied.