Zero-day exploit in QuickTime could hit Win iTunes users

Filed under: Security

Zero-day exploit in QuickTime could hit Win iTunes users

by Michael Rose on Nov 28th 2007 at 11:20PM

Over the weekend, security researchers announced a vulnerability in QuickTime's handling of the RTSP streaming protocol, and Windows-only exploit code is already circulating. The flaw allows attackers to craft specially formatted RTSP responses that cause a buffer overflow, and as a result they can execute arbitrary code in the context of the logged-in user. Unfortunately, there are plenty of ways to get someone to click a malicious RTSP link, including sending it in email or including it on a website. While Symantec notes that IE and Safari for Windows appear to be resistant to the exploit code, opening a malicious RTSP link in current versions of Firefox or in QuickTime Player would allow the exploit to run.

For now, there is no Mac version of the exploit (cold comfort to the millions of iTunes for Windows users); hopefully there will be a QuickTime security patch on both platforms before any additional exposure occurs. Rich Mogull at TidBITS has some helpful tips for securing your network, including blocking the RTSP protocol both at the firewall and for outbound connections via Little Snitch.

Update 10:30 am Thursday: Commenter Moulles points out that a cross-platform exploit for the RTSP flaw, which could target either PCs or Macs, has now been published.

[via TidBITS]

Tags: quicktime, rtsp, security

Reader Comments (Page 1 of 1)

Leonard Nimrod said 11:56PM on 11-28-2007

How is this a "zero day exploit"? Isn't the latest version of QuickTime about 4 weeks old?

↓↑report

Michael Rose said 12:01AM on 11-29-2007

Leonard, in security-speak, "zero-day exploit" means a vulnerability that is unknown to the vendor, or one that is disclosed with existing, working exploit code.

The zero day means that the developer or vendor doesn't have any time between the announcement of the vulnerability and the release of a working exploit to prepare a patch or response. It doesn't have any connection to the release date of the vulnerable application, library or system.

↓↑report

Michael Rose said 12:02AM on 11-29-2007

http://en.wikipedia.org/wiki/Zero_day

↓↑report

Luigi193 said 12:47AM on 11-29-2007

Thanks for the info Mr Rose!

↓↑report

Rafe H. said 2:00AM on 11-29-2007

"...there are plenty of ways to get someone to click a malicious RTSP link, including sending it in email..."

Pay particular attention to blogs that require you to click a link in an email message to complete you post, even though you've successfully logged in to post comments.

OK, finishing this post, checking for TUAW's email AAAAHHHHRRRRGGGGGHHHH....

↓↑report

moulles said 5:50AM on 11-29-2007

Um, actually this does effect OS X as well...

http://www.theregister.co.uk/2007/11/29/new_quicktime_exploit/

↓↑report

Peter van Impelen said 6:44AM on 11-29-2007

It worries me that just selecting the RRS feed to this very article in Vienna triggered Little Snitch : Vienna tried to connect ( 3 times ) to :

acblogs-cs-mtc01.evip.aol.com on TCP port 1080 (socks)

What gives ?

↓↑report

Michael Rose said 12:22PM on 11-29-2007

Hi Peter,

TUAW is hosted at AOL, so that connection isn't all that surprising. Why that particular port, though, I can't say.

↓↑report

Peter van Impelen said 1:12PM on 11-29-2007

Michael,

Thanks for responding.
I regularly read articles on TUAW via the links in Vienna : this has never happened before.

I had LS block the connections & subsequently failed to notice anything out of the ordinary ...
Obviously nothing of great importance.

↓↑report

Michael Rose said 1:06PM on 11-29-2007

If I had to guess, I'd say it has something to do with our shiny NEW THREADED COMMENTS (yay!). :-)

↓↑report

Peter van Impelen said 1:24PM on 11-29-2007

Could that also be responsible for the somewhat annoying feature that link(s) sent to me in the

"Hey there ! X has replied to one of your comments !"

mail points me to a TUAW page with no factual content, apart from the usual header, sidebar & footer ?

To read said reply I have to find the ( page of the ) actual item again in my browser history ...

↓↑report

Laurent said 3:40PM on 12-03-2007

The number of vulnerabilities discovered in Quicktime of late is quite staggering.
I guess it's about time Apple really takes security seriously and have their engineers sanitize their code for real. The more time passes the more I feel Apple behaves like Microsoft did two years ago.
If they continue, I'll soon be on the verge of regretting to have switched from Windows when Tiger went out.

↓↑report

Tip of the Day

To find out what version of Mac OS you are running, go to the Apple logo in the top left corner, click it and choose About This Mac. From that window you will see the version number, processor, memory and chosen startup disk. Clicking Software Update will check for updates, and More Info... will open up an extensive list of everything on your machine.

Learn More

TUAW flickr Pool

www.flickr.com

Advertise with us. (Learn more)

Featured Galleries

TUAW bloggers (30 days)

#	Blogger	Posts	Cmts
1	Steven Sande	40	10
2	Mel Martin	32	0
3	Victor Agreda, Jr.	30	8
4	Michael Rose	29	28
5	Mike Schramm	28	1
6	Dave Caolo	22	0
7	Brett Terpstra	17	11
8	Erica Sadun	15	2
9	David Winograd	15	0
10	Megan Lavey	14	6
11	Robert Palmer	13	3
12	Chris Rawson	12	0
13	Sang Tang	10	1
14	Christina Warren	9	25
15	Tim Wasson	9	0
16	Michael Jones	7	0
17	Casey Johnston	6	0
18	Jason Clarke	6	1
19	Mat Lu	5	0
20	Cory Bohon	4	0

More Apple Analysis

AAPL on BloggingStocks The Apple category feed from BloggingStocks.com
AAPL Quote, News & Summary The AAPL financials page from AOL Money and Finance
iPhone analysis from BloggingStocks iPhone tag feed from BloggingStocks
Macintosh news and reviews on Download Squad The Macintosh category feed from Download Squad

The Unofficial Apple Weblog (TUAW)