Summary

A month ago, a vulnerability in QuickTime was exploited to spread a worm in MySpace. The vulnerability was first published by pdp. In his article, pdp describes how HREFTrack attribute in .mov files can be used for malicious scripting. The MySpace worm abused this vulnerability in a cross-site scripting attack vector.
This MoAB issue shows that this vulnerability can also be used in a cross-zone scripting attack which could allow, in combination with other vulnerabilities, to remotely execute arbitrary code on the user's machine, as well as disclosure of the filesystem contents.

Affected versions

This issue has been successfully exploited in QuickTime™ Version 7.1.3. Previous versions should be vulnerable as well.

Workaround or temporary solution

Apple has released a patch to address the MySpace worm. This patch is limited to Microsoft Internet Explorer users, and it was only published on MySpace.com (?), instead of an official release on Apple.com. We have tested this patch on several machines, and it seems to have no effect at all. With this patch applied, we can still refer to local resources.

In addition, pdp has already published another vulnerability in QuickTime’s .QTL files which can be exploited in the same way as the HREFTrack vulnerability in order to conduct remote code execution.

Thus, until real patches are available, we recommend uninstalling Quicktime or simply live with the feeling of being a potential target for pwnage.

Source: MOAB-03-01-2007: Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability