The vulnerability is exploited with maliciously crafted files which are opened with QuickTime by unsuspecting users, leading to arbitrary code execution. "A command injection issue exists in QuickTime's handling of URLs in the qtnext field> in files with QTL content. By enticing a user to open a specially crafted file, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution," Apple describes.
The update is available at: http://www.apple.com/support/downloads/
Source:
News.com
Written by: James Delahunty @ 4 Oct 2007 17:44