The third bug from Month of Apple bugs is the Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability … today seems to be the day for cross-zone scripting exploits!
(NOTE: The second bug VLC Media Player udp:// Format String Vulnerability did not affect our environment so there is no write up here)
This MoAB issue shows that this vulnerability can also be used in a cross-zone scripting attack which could allow, in combination with other vulnerabilities, to remotely execute arbitrary code on the user’s machine, as well as disclosure of the filesystem contents. [MOAB]
This exploit works up to the current QuickTime Version 7.1.3.
Mitigation:
There are currently no patches available. The risk can be lowered by changing Quicktime to open files as a standalone application rather than using the browser plug-in (delete the browser plug-in npqtplugin*.dll) as the exploit framework is more exposed in an environment that can interpret scripts such as javascript.
.
