QuickTime zero-day attack code released

A hacker has released attack code that exploits an unpatched vulnerability in Apple Inc.'s QuickTime, just a week after the company updated the media player to plug nine other serious vulnerabilities, a security researcher said today.

The exploit, which was published on the milw0rm.com site Tuesday, takes advantage of a flaw in the "quicktime type" parameter in QuickTime, which is not prepared to handle excessively-long strings, said Aaron Adams, a researcher with Symantec Corp.'s DeepSight threat notification network.

"Symantec is currently investigating this flaw further to determine the underlying technical details," said Adams in a research note today. In its present form, the exploit triggers a QuickTime crash, but it may be more serious. "The exploit suggests that code execution may be possible," Adams added, "[and] if this flaw were to allow arbitrary code to run, it may pose a significant risk, because attackers may be able to exploit the issue by embedding a malicious file into a site."