Wintercore’s Ruben Santamarta claims Apple has failed to clean up some old code nested within QuickTime which can leave Internet Explorer vulnerable to yet another of the Microsoft browser’s long line of potential attacks. The exploit is simple to execute just by tricking a user into visiting a malicious site hosting the exploit code, a so-called “drive-by” attack. The attack code works when someone browses with IE on a machine running Windows XP, Vista or Windows 7 that has QuickTime 7.x or the older QuickTime 6.x installed. Apple patched QuickTime for Windows on August 11 (version 7.6.7).The exploit works because Apple didn’t tidy up QuickTime’s code after developers dropped the “_Marshaled_pUnk” function, something the researcher attributes to human error. “Although this functionality was removed in newer versions, the parameter is still present,” Santamarta wrote. “Why? I guess someone forgot to clean up the code.”
