August 31, 2010

Apple QuickTime "_MARSHALED_PUNK" 0-day

Elad Sharf Security Researcher

Yesterday we received reports about a flaw in Apple's QuickTime player. According to the reports, this flaw can potentially allow an attacker to exploit the user's machine through the browser by making it run arbitrary code without user interaction - a classic drive-by vulnerability.

Following a blog post by Ruben Santamata, the flaw apparently stems from the vulnerable file QTPlugin.ocx, which is part of the default QuickTime installation. According to the analysis, the flaw affects the latest version of QuickTime (, as well as older versions of 7.x and 6.x. 

 The DLL file (QTPlugin.ocx) that holds the reported vulnerability is an ActiveX control used by Internet Explorer. Thus,  the vulnerability applies only to that browser, not to any other browser.

We are currently looking into this report and are doing more analysis. We have also started searching for any malicious code on the Web that might emerge and take advantage of this vulnerability. Our customers are protected from attacks that use this vulnerability by ACE, which includes our generic shellcode analytics.


It's certainly not the first time that QuickTime has suffered from such vulnerabilities. One of the latest was CVE-2010-1799, which Apple has already managed to patch near the start of August.


We'll keep you updated on any developments.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.