Apple details Quicktime 7.7.3 drive-by vulnerabilities

Apple has released a fix for a number of vulnerabilities in its QuickTime player, closing critical security holes that had left Windows users vulnerable to drive-by attacks.

The update was initially released on Sunday, though Apple only revealed the reason for the update on Thursday.

According to Apple, the QuickTime update addresses nine vulnerabilities, which could theoretically have been exploited by attackers to crash the application or execute arbitrary code on the user's system.

It is currently unclear whether the vulnerabilities were ever exploited. However speaking to V3, F-Secure security analyst Sean Sullivan warned that the potential damage a successful attack could have done was massive.

"It is really difficult to say exactly how ‘bad' these vulnerabilities are, but based on the names of those that found them, we would make an educated guess: pretty bad indeed," Sullivan told V3.

"There are nine vulnerabilities and they all appear to relate to stuff that would make for good drive-by exploits: PICT; TARGA (image file types); MP4; and flaws in the ActiveX control. So basically, visit a webpage with a maliciously crafted image or movie or HTML and get ‘pwned'," he said.

Sullivan added that  lack of available information regarding the vulnerabilities and whether they had been exploited is systematic of Apple's closed-door approach to security.

"All of the Common Vulnerabilities and Exposures (CVEs) are place holders and none of the sites that track such things have any advanced details, yet," said Sullivan.

"This is modus operandi for Apple. They don't acknowledge that security issues exist until they release a patch."

Sullivan went on to recommend users uninstall Quicktime, clarifying that it is likely there may be more undisclosed vulnerabilities in the media player.

"QuickTime vulnerabilities are why I've never had the software installed on my work computer, and haven't had it installed at home since iTunes no longer required it. The QuickTime plug-in for Windows is a very popular target of Exploit Kits," he said.

"Personally, I would recommend Windows users to uninstall QuickTime if they don't use it much. It isn't required for iTunes anymore, and other than Apple's live-stream the other week, I can't remember the last time I would have needed it."

The QuickTime update is one of many security posts released by Apple over the last few months. Most recently the company released a Safari security update alongside a patch for its iOS mobile operating system on 2 November.