Last month, security researches Petko D. Petkov and Aviv Raff published proof-of-concept exploits to show that QuickTime still had a major protocol handling problem that could cause Firefox to install backdoors and other malware on a fully patched computer. Although the Mozilla team promptly patched the bug in Firefox 2.0.0.7, Apple has finally come up with its own fix for the year-old QuickTime vulnerability.
"A command injection issue exists in QuickTime's handling of URLs in the qtnext field in files with QTL content," the company explained. "By enticing a user to open a specially crafted file, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution."
The patch affects users of QuickTime 7.2 on Windows Vista and Windows XP SP2. A 7MB security update is available for download at the Apple's website.