RealTime IT News

QuickTime Exploit Greets 'Month of Apple Bugs'

UPDATED: A quick and easy exploit of a flaw in Apple's QuickTime application may have Mac and Windows users beginning the New Year with a fresh round of security concerns. The exploit kicks off the Month of Apple Bugs (MOAB) project, the goal of which is to reveal problems with the Mac OS X operating system before informing vendors.

A problem in how QuickTime handles URLs could pose a risk, according to MOAB, which described the vulnerability as being "trivial" to exploit and released code displaying "Happy New Year" on systems running QuickTime and QuickTime Player versions 7.13 and earlier.

Apple was not immediately available for comment.

Using the flaw in how QuickTime handles the "rtsp://" URL, a specially crafted string could overflow a stack's buffer, "leading to an exploitable remote arbitrary code execution condition," according to the MOAB bulletin.

The bulletin said users have only two options to avoid the flaw: "uninstalling Quicktime or simply live with the feeling of being a potential target."

A security error in an application is "absolutely potentially more serious" than one involving just the operating system, according to Andrew Jaquith, a Yankee Group security analyst. QuickTime is frequently used by both Mac and Windows users.

The group announced an exploit, explaining it preferred to release the security vulnerability prior to notifying vendors.

Traditionally, security vendors first alert vendors and then the public, allowing companies to learn of a problem before a vulnerability is widely disclosed. Eeye Digital Security, for instance, publishes the date a problem was reported, as well as when a fix was released.

"The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial," the group explained.

Releasing exploits before notifying vendors is "irresponsible," Jaquith said.

The MOAB project is similar to other projects, such as the Month of Kernel Bugs, which exposed a flaw in Broadcom's wireless driver, and the Month of Browser Bugs, which began with an Internet Explorer vulnerability.

Not since another security group threatened to launch a month of Oracle bugs, has an effort concentrated on one vendor, said Jaquith.