The third bug from Month of Apple bugs is the Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability … today seems to be the day for cross-zone scripting exploits!
(NOTE: The second bug VLC Media Player udp:// Format String Vulnerability did not affect our environment so there is no write up here)
This MoAB issue shows that this vulnerability can also be used in a cross-zone scripting attack which could allow, in combination with other vulnerabilities, to remotely execute arbitrary code on the user’s machine, as well as disclosure of the filesystem contents. [MOAB]
This exploit works up to the current QuickTime Version 7.1.3.