A zero-day vulnerability in Apple Computer's QuickTime media player has been posted, kicking off a project quite strangely titled as the "Month of Apple Bugs" (MoAB).
What has also been posted is an exploit that can be used by hackers to compromise, hijack, or infect computers running Microsoft Windows or Apple Mac OS X.
The QuickTime vulnerability lies in the way the media player software handles Real Time Streaming Protocol or RTSP. An attacker can create a special RTSP string in a rigged QuickTime file that would cause a buffer overflow. The vulnerability affects QuickTime 7.1.3 on both Mac OS X and Windows systems. Previous versions of QuickTime could also be vulnerable.
A sequel to the 'Month of Kernel Bugs' project, MoAB is hosted by a hacker who goes under the initials, LMH, and a researcher, Kevin Finisterre, who has posted several such Mac vulnerabilities on his Web site.
MoAB takes upon itself the task of announcing a new security vulnerability in Apple's OS or other Mac OS X software each day of this month. Of the QuickTime vulnerability, LMH says, "The risk is having your system compromised by a remote attacker, who can perform any operation under privileges of your user account. It can be triggered via JavaScript, Flash, common links, QTL files, and any other method that starts QuickTime."
Both LMH and Finisterre write about the vulnerability on the MoAB Web site, saying that exploitation of this bug is trivial, and that the associated exploit code has been tested on Mac OS X running on Intel-based systems, and works against QuickTime 7.1.3, the current version of the player. However, Danish security major, Secunia, has given the bug a 'highly critical' rating. Apple, on its part, continues to remain non-committal. In an email, a spokesperson for Apple has said the company takes security very seriously, and that it welcomes feedback on how to improve security on the Mac.
In any case, till such a time this potential bug is patched, users are advised to cripple QuickTime's ability to process rtsp:// links. As regards users of Microsoft Windows, they are advised to launch QuickTime, select Edit|Preferences|QuickTime Preferences, click the File Types tab, expand Streaming, and clear the box marked "RTSP stream descriptor". Users of Mac OS X are advised to select System Preferences|QuickTime|Advanced|MIME Settings|Streaming|Streaming Movies, and clear the "RTSP stream descriptor" box.
Wednesday, January 03, 2007
Its a Month of Apple Bugs; for Some!
Posted by Charlie at 8:42 AM
Labels: Apple, exploit, Finisterre, flash, hackers, JavaScript, LMH, Mac OS X, MoAB, QTL, secunia, vulnerability, Windows, zero-day