Why is QuickTime so much of a security problem?

[Envergure]

I was reading this article and when I came to where it says last year's winner exploited a QuickTime vulnerability I thought, "how could QuickTime be a security vulnerability?" It seems to me that QuickTime is a media player and shouldn't even have the capacity to send files to a hacker.

I'm not well-informed on security, so please answer accordingly

 

[Bobbye]

The latest
http://www.f-secure.com/weblog/archives/00001325.html

 

[DelJo63]

I thought, "how could QuickTime be a security vulnerability?"

Ok, consider ANYTHING that has animation in it; animated gif, Flash, RealPlayer, Quicktime, ...

There are two choices to make it work;

1. embed sequences to be interpreted by some common program
2. distribute an interpreter inside the file itself

ALL interpreters are risky and that's why Outlook and Outlook Express are exposed
to attacks as well. Without disclosing the how-to, special sequences allow operations
that expose the underlying system and unless extra heavy validations are performed
for the values used with the sequence, nasty stuff happens.

The other issue is buffer overflow puts things in a critical location that cause the
'payload' to be executed when some internal function completes -- thus
infecting the system.