QuickTime XSS Vulnerabilities

Remember QSpace, the (very) recent MySpace worm? When Apple 'patched' that, they provided the patch only on MySpace.com and then only for Internet Explorer users - leaving those not on MySpace or using a different browser in vulnerability limbo. Now the 'Apple Bug a Day' project is reporting a new XSS vulnerabilitiy in QuickTime, which even the elite MySpace/IE users aren't protected against. And it's on the heels of the January 1st 'Apple Bug a Day' release of another QuickTime security flaw, this time in its handling of certain URL types which could lead to remote code execution. Also vying for attention is the equally serious Adobe Reader PDF/XSS vulnerability reported yesterday. Individually, any of the three bugs are critically important to fix. Combined, the potential for exploit is rather sobering.

Researchers at the "Apple Bug a Day" project are recommending users uninstall QuickTime until Apple releases a patch. Those using Adobe Reader version 7 should visit the Adobe website and download and install Adobe Reader version 8. Simply updating the susceptible version 7 won't suffice - updates will only go so far as version 7.08 which is still vulnerable to the PDF/XSS exploits.