Technology news and Jobs 
Information Technology News Another month, another QuickTime vulnerability
Information Technology News Another month, another QuickTime vulnerability | Another month, another QuickTime vulnerability |
|
| by Stephen Withers | |
| Monday, 14 January 2008 | |
|
Dozens of QuickTime flaws were corrected by Apple during 2007, and the most recent update addressed another RTSP issue. The new flaw was revealed by Luigi Auriemma, who said both Mac and Windows versions of QuickTime 7.3.10 and earlier. It occurs in the handling of HTTP error messages, and can be exploited with an RTSP link to a server that has port 554 closed, causing QuickTime to retry the request using HTTP on port 80. If the server sends a maliciously crafted error message in response to the HTTP request, QuickTime will display in the status area of the player window, triggering the flaw and allowing the execution of code contained in the message. Blocking such attacks in the absence of a fix for the underlying problem is not simple, though US-CERT has made several suggestions. Uninstalling QuickTime is not practical for most users, and blocking all RTSP traffic at the the firewall would cut off much streaming media. Changing the RTSP handler to another application is feasible, but you'd need to identify one that has plugged all known vulnerabilities otherwise you would be no better off.
Get stories like this delivered daily - FREE - subscribe now
|
Tags
| < Next story in category | Previous story in the category > |
|---|
