MOAB-03-01-2007: Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability:
A month ago, a vulnerability in QuickTime was exploited to spread a worm in MySpace. The vulnerability was first published by pdp. In his article, pdp describes how HREFTrack attribute in .mov files can be used for malicious scripting. The MySpace worm abused this vulnerability in a cross-site scripting attack vector.This MoAB issue shows that this vulnerability can also be used in a cross-zone scripting attack which could allow, in combination with other vulnerabilities, to remotely execute arbitrary code on the user’s machine, as well as disclosure of the filesystem contents.
I thought that the Security Update released by Apple fixed this problem already. However, checking the details of the bug, only Windows has been tested. I am not sure if it still affects the Mac – if not, who cares about Windows?!
Technorati Tags: quicktime, vulnerability
