The recently infamous 13 month old QuickTime flaw, which Apple failed to patch in March, has finally been taken care of in Quicktime version 7.2. The update fixes the flaw, which exists in Windows XP and Windows Vista. Apple did not specifically address the question, why they took so long, but before the explanation of the vulnerability, they wrote a self-justifying intro, which sounds like this: “For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,” such an approach is nothing more than expected, having in mind it's Apple we're talking about.
As Randy Abrams told TechNewsWorld last month, “Apple ignored warnings about this last year and allowed scripting without user intervention. Somewhere along the line, everyone at Apple missed the boat on this vulnerability. They had no level of understanding about how widespread this could become.”
The first time this flaw was exposed was more than a year ago and the man responsible is Petko Petkov, a British security researcher also accountable for finding a similar flaw with WMP.
The vulnerability exists in QuickTime meta-files with the extension of QTL and is exactly as Apple has (finally) stated :”A command injection issue exists in QuickTime's handling of URLs in the qtnext field in QTL files. By enticing a user to open a specially crafted QTL file, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved handling of URLs.”
The flaw does not exist in Mac OSX.
Anyone willing to download the update, may do so in Apple's homepage.