QuickTime browser bug puts your PC at risk

A flaw in the latest version of QuickTime could leave your PC open to a malicious attack

Apple's QuickTime media player is in trouble again - this time for a year-old exploit in a browser plug-in that opens up your PC to malicious attack. Firefox's creator Mozilla is so concerned by the threat that its head of security, Window Snyder, has labelled the threat "very serious".

The flaw can be found in QuickTime's MediaLInk (.qtl) function, which enables the program to parse up to 60 different file types with a compatible extension, says Macworld UK. Because XML files are parsed unsanitised, this gives hackers the opportunity to create a link to a malicious JavaScript file and have it run automatically in QuickTime.

The flaw appears to cause particular problems with Firefox, hence Mozilla's concern. By contrast, users of Internet Explorer and Opera on the PC are reporting few or zero problems when running proof-of-concept samples developed by UK-based application tester Petko Petkov. Mac users are also reporting zero problems running Firefox in Mac OS X.

Firefox partly to blame?

While Apple is undoubtedly to blame for the exploit, some security experts are also pointing the finger at Firefox too. The exploit can reportedly bypass 'chrome' privileges in the browser and its built-in security features.

Apple and Mozilla are said to be working together on a fix, but until that happens your best bet is to disable the QuickTime plug-in in whichever web browser you use.

The cross-platform QuickTime media player has suffered from a number of security problems in the last 12 months, forcing Apple to release four security updates for the program. One flaw enabled a worm to be spread across the MySpace social networking site.