Filed under: Security
Another zero-day exploit for QuickTime
US-CERT and Information Week are reporting a new vulnerability in QuickTime's handling of RTSP streams, which has been demonstrated to crash QuickTime Player on Windows and may also affect the Mac version. See the writeup by researcher Luigi Auriemma, who first announced the flaw.Unlike the RTSP bug patched in QuickTime 7.3.1 last month, this vector works by overflowing an HTTP error buffer sent when the RTSP port 554 is closed on the malicious server, and the QuickTime client tries to switch to port 80. Sneaky.
Since we're almost certain to see iTunes 7.6 and possibly QuickTime 7.3.2 at Macworld anyway, expect another rev of QuickTime to close this hole after those versions ship -- since Apple wasn't notified in advance of this hole, it's unlikely to be caught in the pending updates, as commenter Nicholas points out (unless Apple found the vector independently).

![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)


Reader Comments (Page 1 of 1)
Nicholas Ptacek said 12:50PM on 1-11-2008
The Information Week article points out that Apple was not notified ahead of time about this exploit. Also it should be noted that a zero-day exploit usually refers to an exploit previously unknown to the product developer. That said, don't expect that the new versions of iTunes and Quicktime to be (potentially) released at MacWorld will patch this issue.
Reply
Michael Rose said 1:00PM on 1-11-2008
Sorry, I missed a couple of words in the last graf -- meant to imply that the fix will be AFTER Macworld. Working on it.
Zero-day can mean either unknown to the vendor or simply no patch available:
http://en.wikipedia.org/wiki/Zero_day
Justin said 12:57PM on 1-11-2008
hmm.. possible vector for iPhone 1.1.3 entry?
Reply
Justin said 12:57PM on 1-11-2008
hmm.. possible vector for iPhone 1.1.3 entry?
Reply
Luigi193 said 2:16PM on 1-11-2008
hmm.. possible vector for iPhone 1.1.3 entry?
Dave said 4:22PM on 1-11-2008
Possible vector for any type of attack? Virus? Takeover of my computer? Someone please decode this for the _rest_of_us_.
Thanks!
Dave
Reply
Jeff Kabbe said 4:38PM on 1-11-2008
I don't think this qualifies as a zero-day exploit. It certainly was unknown before, but there is no "exploit." A 0-day exploit is when malicious code is spotted in the wild that takes advantage of a previously unknown flaw. If researchers are announcing this and there is no malicious code in the wild, it's not an exploit (and, hence, not a 0-day exploit). So let's not get all crazy....
Reply