Symantec: Second PoC for QuickTime vulnerability

Stephen Withers
Thursday, 29 November 2007 09:19

Your IT - Home IT

A second proof-of-concept exploit for the QuickTime RTSP vulnerability has been identified by Symantec's security response team.

The unfortunately named Quimkids Trojan relies on a specially modified RTSP server. It works by using JavaScript to send shell code to the target system while the RTSP server sends a stream that overwrites the QuickTime stack and triggers the stored shell code.

Since the attack relies on Internet Explorer, it is specific to Windows XP and Vista.

This approach makes it easier to deliver whatever shell code the attacker chooses, but it will not work on an unmodified RTSP server. Symantec has assigned Quimkids its lowest risk level as it has been found on a very small number of sites and is easily contained and removed.

Symantec currently recommends sites block RTSP completely unless is it specifically required, disable the QuickTime ActiveX controls in Internet Explorer and the plug-in for Firefox, disable JavaScript (this is a tall order given that even Symantec's web site uses JavaScript), and (as always) users should avoid untrusted QuickTime files.