Windows QuickTime Zero-day Flaw Discovered

A new security flaw in QuickTime 7.3.1 for Windows surfaced on Thursday that apparently lets an attacker take control of remote PCs. The vulnerability was discovered by Italian security researcher Luigi Auriemma who posted proof-of-concept code for the exploit on the Internet, according to InformationWeek.

The alleged flaw takes advantage of a buffer overflow bug that lets an attacker send malicious code when QuickTime attempts to access a Real-Time Streaming Protocol link and port 554 on the server is closed.

Symantec Security Response claimed that the flaw appears to be legit. The companyis vice president of development, Alfred Huger, commented "The proof of concept code only managed to crash the product. But itis a safe assumption that if you can do that you may be able to execute remote code."

So far the flaw appears to impact only the Windows version of QuickTime, and to date there are no known instances of an actual attack based on the vulnerability. The likelihood that Windows users could see an actual attack based on Mr. Auriemmais sample code, however, is higher since he chose to publish his proof-of-concept before contacting Apple.