Technology news and Jobs arrow Information Technology News arrow Exploit for QuickTime vulnerability in circulation
Exploit for QuickTime vulnerability in circulation E-mail
by Stephen Withers   
Tuesday, 27 November 2007
A proof of concept exploit for a recently discovered QuickTime vulnerability has been released.

The underlying problem is a stack buffer overflow that can be triggered by a maliciously crafted RTSP stream, resulting in a crash or the execution of arbitrary code.

Symantec suggests the most likely attacks using this vulnerability will come via email using attachments that will open RTSP connections despite appearing to be media files, or through the web, using embedded QuickTime streaming objects.

The company says the proof of concept is a successful web attack when received by Firefox, which passes the RTSP requests to QuickTime Player.  Internet Explorer and Safari use a plug-in to handle QuickTime items, and the exploit triggers their overflow protection mechanisms. Symantec suggests this shortcoming might be overcome with more effort.

Although the proof of concept only targets QuickTime 7.2 and 7.3 (which was released earlier this month) for Windows XP and Vista, it does not seem to have been established whether the Mac OS X versions share the vulnerability.

Until Apple releases a path, suggested mitigations include disassociating the RTSP MIME type from QuickTime, blocking RTSP traffic at the firewall, and disabling QuickTime ActiveX controls in Internet Explorer.

The Windows version of QuickTime is installed alongside iTunes, and is therefore found on a significant number of Windows-based PCs.

A related vulnerability was disclosed during the Month of Apple Bugs.

Please enable JavaScript in your browser to post your comment!


Get stories like this delivered daily - FREE - subscribe now
 
< Next story in category   Previous story in the category >
iTWire user statistics Visitors last 30 days
Suscribers
904,266
13,751
#1 independent technology news advertise here
  •   *  
  • Search
  • AdvSeach
  • Login
  • Events
  • FreeStuff
Subscribe to our free e-newsletter