updated 09:25 am EDT, Thu September 18, 2008
QuickTime 7.5.5 flaw
A possible security hole has been discovered in QuickTime 7.5.5, which was released last week alongside iTunes 8. Symantec researcher Aaron Adams notes that a particular parameter in QuickTime is not geared to cope with strings past a certain length, and that if this trait were to be properly exploited, it could represent a security threat. "Symantec is currently investigating this flaw further to determine the underlying technical details," Adams' official note reads.
Present testing has only been able to force QuickTime to crash, but it is believed that the potential exists to run arbitrary code, which if true could cause significant danger to QuickTime users. An interested hacker could embed a malicious file onto a website, and launch an attack with minimal interaction on the part of the victim.
Adams suggests that there is currently no real defense against such an attack, beyond avoiding suspicious websites or disabling the QuickTime plug-ins of various browsers.