Apple's lose to get through old code in QuickTime contributes users operating Internet Explorer (IE) vulnerable to drive-by approaches, a Spanish security researcher stated yesterday. Ruben Santamarta, a investigator at Madrid-based Wintercore who disclosed a bug in IE8 last month, now delineated the QuickTime plug-in vulnerability.

Hackers only require to slang users into visiting a vicious site hosting exploit code, stated Santamarta, who contributed that his attack code works when somebody browses with IE on a machine running Windows XP, Vista or Windows 7 that has QuickTime 7.x or the previous version of QuickTime 6.x installed.

"while this practicality was dispatched in newer versions, the parameter is still present," Santamarta stated in his advisory. "Why? I guess somebody dis-remembered to clear up the code." His approach code also beltways a pair of important security measures Microsoft*has added to Windows: DEP (data execution prevention) and ASLR (address space layout randomization)