Zero-day exploit in QuickTime could hit Win iTunes users
Over the weekend, security researchers announced a vulnerability in QuickTime's handling of the RTSP streaming protocol, and Windows-only exploit code is already circulating. The flaw allows attackers to craft specially formatted RTSP responses that cause a buffer overflow, and as a result they can execute arbitrary code in the context of the logged-in user. Unfortunately, there are plenty of ways to get someone to click a malicious RTSP link, including sending it in email or including it on a website. While Symantec notes that IE and Safari for Windows appear to be resistant to the exploit code, opening a malicious RTSP link in current versions of Firefox or in QuickTime Player would allow the exploit to run.For now, there is no Mac version of the exploit (cold comfort to the millions of iTunes for Windows users); hopefully there will be a QuickTime security patch on both platforms before any additional exposure occurs. Rich Mogull at TidBITS has some helpful tips for securing your network, including blocking the RTSP protocol both at the firewall and for outbound connections via Little Snitch.
Update 10:30 am Thursday: Commenter Moulles points out that a cross-platform exploit for the RTSP flaw, which could target either PCs or Macs, has now been published.
[via TidBITS]
Share
Categories
Over the weekend, security researchers announced a vulnerability in QuickTime's handling of the RTSP streaming protocol, and Windows-only...
Add a Comment
The number of vulnerabilities discovered in Quicktime of late is quite staggering.
I guess it's about time Apple really takes security seriously and have their engineers sanitize their code for real. The more time passes the more I feel Apple behaves like Microsoft did two years ago.
If they continue, I'll soon be on the verge of regretting to have switched from Windows when Tiger went out.
Could that also be responsible for the somewhat annoying feature that link(s) sent to me in the
"Hey there ! X has replied to one of your comments !"
mail points me to a TUAW page with no factual content, apart from the usual header, sidebar & footer ?
To read said reply I have to find the ( page of the ) actual item again in my browser history ...
Michael,
Thanks for responding.
I regularly read articles on TUAW via the links in Vienna : this has never happened before.
I had LS block the connections & subsequently failed to notice anything out of the ordinary ...
Obviously nothing of great importance.
If I had to guess, I'd say it has something to do with our shiny NEW THREADED COMMENTS (yay!). :-)
November 29 2007 at 1:06 PM Report abuse Permalink rate up rate down ReplyIt worries me that just selecting the RRS feed to this very article in Vienna triggered Little Snitch : Vienna tried to connect ( 3 times ) to :
acblogs-cs-mtc01.evip.aol.com on TCP port 1080 (socks)
What gives ?
Hi Peter,
TUAW is hosted at AOL, so that connection isn't all that surprising. Why that particular port, though, I can't say.
Um, actually this does effect OS X as well...
http://www.theregister.co.uk/2007/11/29/new_quicktime_exploit/
"...there are plenty of ways to get someone to click a malicious RTSP link, including sending it in email..."
Pay particular attention to blogs that require you to click a link in an email message to complete you post, even though you've successfully logged in to post comments.
OK, finishing this post, checking for TUAW's email AAAAHHHHRRRRGGGGGHHHH....
Thanks for the info Mr Rose!
November 29 2007 at 12:47 AM Report abuse Permalink rate up rate down Replyhttp://en.wikipedia.org/wiki/Zero_day
November 29 2007 at 12:02 AM Report abuse Permalink rate up rate down ReplyLeonard, in security-speak, "zero-day exploit" means a vulnerability that is unknown to the vendor, or one that is disclosed with existing, working exploit code.
The zero day means that the developer or vendor doesn't have any time between the announcement of the vulnerability and the release of a working exploit to prepare a patch or response. It doesn't have any connection to the release date of the vulnerable application, library or system.
How is this a "zero day exploit"? Isn't the latest version of QuickTime about 4 weeks old?
November 28 2007 at 11:55 PM Report abuse Permalink rate up rate down ReplyHot Apps on TUAW
Deals of the Day
more deals- Refurb Apple MacBook Air Laptops: 12" 64GB SSD for $699 + free shipping
- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
- Apple iPhone Headset with Mic for $4 + $2 s&h
- miFrame Picture Frame Dock for iPad for $64 + $8 s&h
- Refurb Apple iPod nano 8GB MP3 Player for $99 + free shipping, 16GB for $119
- Hannspree Apple-Shaped 28" 1080p LCD HDTV for $270 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
12 Comments