iTWire - Another month, another QuickTime vulnerability

IT&T JOBS|Discussion forum|Technology Events|IT Education|

Today on iTWire IT News Telecommunications People Our Blogs Tech Lifestyle Releases Science Sustainability MyProfile Whitepapers

Daily ICT Newsletter FREE TRIAL

Follow iTWire on Twitter

About iTWire

iTWire is all about technology news, information, jobs and community for the IT and telecommunications industry professional. Subscribe to our free ICT daily newsletter

Another month, another QuickTime vulnerability

E-mail

by Stephen Withers
Monday, 14 January 2008
Deliberately malformed media files and streams have proved successful ways of taking control of computers, so it's not surprising that malware writers and security researchers continue to target software involved in their playback. Featured Whitepaper 5 Best Practices for Smartphone Support The latest issue to arise is (yet another) buffer overflow exploit, once again targeting QuickTime's Real-Time Streaming Protocol (RTSP) code. Dozens of QuickTime flaws were corrected by Apple during 2007, and the most recent update addressed another RTSP issue. The new flaw was revealed by Luigi Auriemma, who said both Mac and Windows versions of QuickTime 7.3.10 and earlier. It occurs in the handling of HTTP error messages, and can be exploited with an RTSP link to a server that has port 554 closed, causing QuickTime to retry the request using HTTP on port 80. If the server sends a maliciously crafted error message in response to the HTTP request, QuickTime will display in the status area of the player window, triggering the flaw and allowing the execution of code contained in the message. Blocking such attacks in the absence of a fix for the underlying problem is not simple, though US-CERT has made several suggestions. Uninstalling QuickTime is not practical for most users, and blocking all RTSP traffic at the the firewall would cut off much streaming media. Changing the RTSP handler to another application is feasible, but you'd need to identify one that has plugged all known vulnerabilities otherwise you would be no better off. Tags See All Tags Apple Internet Macintosh Security Software Stephen Withers Vista Windows Powered By Joomla Tags Please enable JavaScript in your browser to post your comment!

< Next story in category		Previous story in the category >

	Visitors last 30 days	694,279
	Subscribers	15,210

#1 independent technology news advertise here

- Advertisement -

Featured Whitepapers

	5 Best Practices for Smartphone Support Worldwide shipments of smartphones reached a high of nearly 40 million units in the third quarter of 2008, helping to grow the category by 28% from the same quarter last year.
	Legacy Tools: Not For Today’s Helpdesk Why applications like RDP, VPNs and VNC may be costing you time, money and end-user satisfaction.