A new vulnerability in Apple's QuickTime has been discovered, a bizarre remnant of some development code that was left in place for at least nine years. It was spotted by Ruben Santamarta of Spain-based security firm Wintercore, who figured out how to re-purpose the redundant code in order to bypass the anti-hacking defenses in Windows to take control of the underlying computer.

Santamarta published his discovery, which only requires a Windows user with either QuickTime 7.x or QuickTime 6.x to visit a malicious website with Microsoft's Internet Explorer to be successfully compromised. In yet another twist, it also has emerged that security outfit TippingPoint also filed a bug report for the exact flaw with Apple--two month ago.

Aaron Portnoy, security team lead for HP TippingPoint's Zero Day Initiative (ZDI), noted that this is proof that vendors should speed up their efforts in patching discovered security vulnerabilities. "Overlapping discoveries are occurring much more often," Portnoy noted. "This just reinforces the reasoning to put disclosure deadlines on vulnerabilities."

Portnoy went on to lament Apple's indifferent attitude toward the reported bug. "I can't understand it. It's literally a single parameter [in QuickTime]. I could have completely solved this within a day."

For now, attack code has already been added to Metasploit, a popular open-source toolkit used for conducting security audits or evaluations. It appears also that some malicious sites have been spotted in the wild hosting exploits against this vulnerability. As such, users might want to avoid IE for now.

For more on this story:
- check out this article at Computerworld
- read this article at The Register