Filed under: Security
Zero-day exploit in QuickTime could hit Win iTunes users
Over the weekend, security researchers announced a vulnerability in QuickTime's handling of the RTSP streaming protocol, and Windows-only exploit code is already circulating. The flaw allows attackers to craft specially formatted RTSP responses that cause a buffer overflow, and as a result they can execute arbitrary code in the context of the logged-in user. Unfortunately, there are plenty of ways to get someone to click a malicious RTSP link, including sending it in email or including it on a website. While Symantec notes that IE and Safari for Windows appear to be resistant to the exploit code, opening a malicious RTSP link in current versions of Firefox or in QuickTime Player would allow the exploit to run.For now, there is no Mac version of the exploit (cold comfort to the millions of iTunes for Windows users); hopefully there will be a QuickTime security patch on both platforms before any additional exposure occurs. Rich Mogull at TidBITS has some helpful tips for securing your network, including blocking the RTSP protocol both at the firewall and for outbound connections via Little Snitch.
Update 10:30 am Thursday: Commenter Moulles points out that a cross-platform exploit for the RTSP flaw, which could target either PCs or Macs, has now been published.
[via TidBITS]
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
Leonard Nimrod said 11:56PM on 11-28-2007
How is this a "zero day exploit"? Isn't the latest version of QuickTime about 4 weeks old?
Reply
Michael Rose said 12:01AM on 11-29-2007
Leonard, in security-speak, "zero-day exploit" means a vulnerability that is unknown to the vendor, or one that is disclosed with existing, working exploit code.
The zero day means that the developer or vendor doesn't have any time between the announcement of the vulnerability and the release of a working exploit to prepare a patch or response. It doesn't have any connection to the release date of the vulnerable application, library or system.
Reply
Michael Rose said 12:02AM on 11-29-2007
http://en.wikipedia.org/wiki/Zero_day
Reply
Luigi193 said 12:47AM on 11-29-2007
Thanks for the info Mr Rose!
Reply
Rafe H. said 2:00AM on 11-29-2007
"...there are plenty of ways to get someone to click a malicious RTSP link, including sending it in email..."
Pay particular attention to blogs that require you to click a link in an email message to complete you post, even though you've successfully logged in to post comments.
OK, finishing this post, checking for TUAW's email AAAAHHHHRRRRGGGGGHHHH....
Reply
moulles said 5:50AM on 11-29-2007
Um, actually this does effect OS X as well...
http://www.theregister.co.uk/2007/11/29/new_quicktime_exploit/
Reply
Peter van Impelen said 6:44AM on 11-29-2007
It worries me that just selecting the RRS feed to this very article in Vienna triggered Little Snitch : Vienna tried to connect ( 3 times ) to :
acblogs-cs-mtc01.evip.aol.com on TCP port 1080 (socks)
What gives ?
Reply
Michael Rose said 12:22PM on 11-29-2007
Hi Peter,
TUAW is hosted at AOL, so that connection isn't all that surprising. Why that particular port, though, I can't say.
Peter van Impelen said 1:12PM on 11-29-2007
Michael,
Thanks for responding.
I regularly read articles on TUAW via the links in Vienna : this has never happened before.
I had LS block the connections & subsequently failed to notice anything out of the ordinary ...
Obviously nothing of great importance.
Reply
Michael Rose said 1:06PM on 11-29-2007
If I had to guess, I'd say it has something to do with our shiny NEW THREADED COMMENTS (yay!). :-)
Peter van Impelen said 1:24PM on 11-29-2007
Could that also be responsible for the somewhat annoying feature that link(s) sent to me in the
"Hey there ! X has replied to one of your comments !"
mail points me to a TUAW page with no factual content, apart from the usual header, sidebar & footer ?
To read said reply I have to find the ( page of the ) actual item again in my browser history ...
Reply
Laurent said 3:40PM on 12-03-2007
The number of vulnerabilities discovered in Quicktime of late is quite staggering.
I guess it's about time Apple really takes security seriously and have their engineers sanitize their code for real. The more time passes the more I feel Apple behaves like Microsoft did two years ago.
If they continue, I'll soon be on the verge of regretting to have switched from Windows when Tiger went out.
Reply