Apple has patched a flaw in QuickTime that could allow for remote attacks.

The fix addresses a vulnerability in the Windows Vista and XP versions of QuickTime, which is commonly installed as a browser plug-in or as a component of iTunes. OS X users are not affected.

Apple said that the problem concerns QuickTime Media Links (QTLs) which are often used to launch media files from browsers.

If a specially crafted QTL is launched, QuickTime can allow access to a command line which could then be used to execute malicious code.

Security researcher Petko D Petkov showed last month how a malformed QTL file could be placed within a web page and disguised as a movie or song file.

When clicked, the links would allow for JavaScript code to run with the privileges of the current user.

The researcher provided several proof-of-concept samples which caused vulnerable machines to display alert boxes, launch arbitrary applications and even shut down.

Although the Apple security notice does not specifically mention the report, a spokesperson confirmed to vnunet.com that the fix addresses the flaw described by Petkov.

Users can obtain the update via the Software Update application or from Apple's support site.