Article

Exploit code targets Apple QuickTime zero-day

Bill Brenner, Senior News Writer

Exploit code has been released for a zero-day buffer-overflow flaw in Apple Inc.'s widely used QuickTime media player, giving attackers the opportunity to hijack vulnerable computers running Mac OS X and the latest versions of Microsoft Windows.

The problem is a boundary error that surfaces when affected machines try to process RTSP replies, Danish vulnerability clearinghouse

Requires Free Membership to View

Secunia said in its SA27755 advisory. Attackers can exploit this to cause a stack-based buffer overflow via a specially crafted RTSP reply containing an overly long "content-type" header.

"Successful exploitation allows execution of arbitrary code and requires that the user is tricked into opening a malicious QTL file or visiting a malicious Web site," Secunia said, adding that it was able to confirm the flaw on machines running QuickTime 7.3. Because a working exploit is available, Secunia rated the flaw extremely critical, its highest severity rating. The French Security Incident Response Team (FrSIRT) gave the flaw a critical rating in its FrSIRT/ADV-2007-3984 advisory. The flaw was discovered by researcher Krystian Kloskowski.

Cupertino, Calif.-based security vendor Symantec Corp. is keeping its ThreatCon at Level 2 because of the QuickTime exploit. In an email advisory to customers of its DeepSight threat management service, Symantec said the proof-of-concept code can be used to trigger remote code execution for QuickTime on Microsoft Windows Vista and XP, as well as versions of Mac OS X.

"Customers are advised to temporarily employ strict egress firewall filtering on TCP port 554 to prevent outbound connections to malicious RTSP servers as it is likely that this exploit will be employed in the wild," Symantec said.

To blunt the threat, security experts recommend users steer clear of unfamiliar Web sites, untrusted links and QTL files.

Symantec suggested additional measures, such as deploying network intrusion detection systems to monitor network traffic for malicious activity; running all software as a nonprivileged user with minimal access rights; and implementing multiple redundant layers of security.