RealTime IT News

US-CERT Warns of Unpatched QuickTime Flaw

UPDATED: The U.S. Department of Homeland Security's Computer Emergency Readiness Team (US-CERT) is warning about a serious flaw in Apple's QuickTime that cold let an attacker gain control of a user's computer. Apple has not yet patched the flaw.

US-CERT issued the warning in a Technical Cyber Security Alert earlier this week.

Don't think the issue could affect you? If you've installed iTunes, think again. The security group warned that both Windows and Mac users are at risk if they've installed the music software, which is used with Apple's wildly popular iPod.

"iTunes installs QuickTime, so any system with iTunes is also vulnerable," US-CERT said in its advisory.

A spokesperson for the computer maker confirmed that it was aware of the problem.

"Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users, and we are looking into this," the spokesperson said.

Reports about the flaw first appeared a week ago. Since then, US-CERT said it has become aware of publicly available exploit code.

The flaw itself specifically deals with how QuickTime handles Real Time Streaming Protocol (RTSP) content. If a user visits a site that includes a poisoned QuickTime file, or opens a maliciously crafted QuickTime file locally, the flaw could allow an attacker to take control of the user's PC.

The Alert also warns that one potential delivery method could be from a user's browser that calls on QuickTime to open a file.

In the absence of a patch from Apple, US-CERT provides a basic recommendation on how to avoid becoming a victim of the QuickTime flaw: Stay away from untrusted QuickTime files.

"Do not open QuickTime files from any untrusted sources, including unsolicited files or links received in email, instant messages, Web forums, or Internet Relay Chat (IRC) channels," US-CERT said in the advisory.

The warning comes as Apple's QuickTime is experiencing a recent rash of attacks.

Early this month, Apple issued an update with QuickTime version 7.3 that fixed at least seven security holes that could have left users PC or Macs at the mercy of hackers.

In October, Apple addressed issues with the QuickTime 7.2 release that had been plaguing the media player for more than a year.

In the case of the QuickTime 7.2 injection flaw, browser vendor Mozilla took steps on its own, ahead of Apple's patch, to protect Firefox users with the browser's 2.0.0.7 release..