Download our in-depth report: The Ultimate Guide to IT Security Vendors
Last year had been tough for Apple's QuickTime software, with numerous security vulnerabilities making headlines. So far, it looks as if 2008 may continue the unfortunate security trend.
Security researcher Luigi Auriemma reported that a buffer overflow condition exists in version QuickTime 7.3.1. According to Auriemma's advisory, the problem is a buffer-overflow, which happens during the handling of the HTTP error message and its visualization in the LCD-like screen that contains info about the status of the connection.
The buffer overflow could lead to arbitrary code execution or a denial of service attacker (DoS), he said.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i To exploit the vulnerability, an attacker can connect via an RTSP (Real Time Streaming Protocol) link to trigger the error leading to the buffer overflow. As well as posting a public advisory on the issue, Auriemma provided a proof-of-concept for execution of the flaw.
Auriemma offers no suggestion for how to fix the problem, which is currently unpatched by Apple. Security firm Secunia rated the issue as being "highly critical" and US-CERT has issued a vulnerability note warning about the vulnerability. US-CERT provides two options for QuickTime users about how to protect themselves.
The first option suggested by US-CERT is to actually uninstall QuickTime until an update is available from Apple. US-CERT notes, however, that uninstalling QuickTime will affect applications like iTunes that rely on the software, causing them to fail to run or run only with limited functionality.
The other suggestion that US-CERT offers is to block the rtsp:// protocol with proxy or firewall rules.
Apple's Quick Time 7.3.1 is not even a month old, having been released in mid-December. That version itself came as a security fix related to another vulnerability that used RTSP to exploit QuickTime.
That particular flaw had been the subject of US-CERT Technical Cyber Alert in November.