updated 04:55 pm EDT, Mon September 25, 2006
SecurityFocus has warned of an arbitrary-script-execution weakness in Apple's QuickTime plug-in when executing QuickTime Media Link files. Attackers can exploit the issue to execute arbitrary script code -- which is limited to the context of the affected application -- and load local content in a user's Web browser, which could lead to further security issues. QuickTime 7.1.3 is known to be vulnerable, while other versions of QuickTime may also be at risk. Apple has yet to issue patches for the vulnerability, and two proof-of-concept QuickTime Media Link files are already available using the .mp3 file extension.