Original URL: http://www.theregister.co.uk/2007/01/03/quicktime_vuln/
Unpatched bug bites QuickTime
First release from Month of Apple Bugs
Posted in Security, 3rd January 2007 11:57 GMT
Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement
Security researchers have uncovered a buffer overflow flaw [1] in Apple's QuickTime media player software that creates a means for hackers to load malware onto vulnerable systems.
The vulnerability - which affects both Windows and Mac OS X PCs - is the first to be published [2] as part of the "Month of Apple Bugs" project, which involves a plan to release details of previously undisclosed Mac OS X or Apple application security bugs every day in January.
The as-yet-unpatched vulnerability involves a flaw in Apple QuickTime 7.x, specifically an error in processing malformed Real Time Streaming Protocol (RTSP) URLs. As a result, users tricked into running malformed Quicktime files or who visit a hacker website hosting the exploit are liable to find their systems owned due to this stack-based buffer overflow bug. Security clearing house US CERT reports [3] that hackers have created an exploit targeting the bug, increasing the risk posed by the flaw.
Users are advised to avoid opening QuickTime files from untrusted sources or visiting dodgy sites. Or, as a posting [4] from the SANS Institute's Internet Storm Centre, users might want to disable RTSP URL processing as a workaround, ahead of patches from Apple that provide a more comprehensive fix. ®