It didn’t take long for an exploit to emerge in QuickTime version 7.5.5. Merely a week after Apple updated the media player to plug nine security bugs, a proof-of-concept exploit for a zero-day vulnerability has been posted, which can be used to crash iTunes, a web browser, or any other program that uses the QuickTime plug-in.
The exploit, which was published on the milw0rm.com site earlier this week, takes advantage of a flaw in QuickTime that causes a crash when an unusually-long parameter is passed along with a movie file. While not actually demonstrated, it is also claimed that remote code execution may be possible “with no user interaction, other than an attempt to view a file.”
At the moment, there is no recommended workaround or patch available for the code exploit, so users are (as always) encouraged to safely browse the web and avoid opening QuickTime files from unknown sources.