Last year had been tough for Apple’s QuickTime software, with numerous security vulnerabilities making headlines. So far, it looks as if 2008 may continue the unfortunate security trend.
Security researcher Luigi Auriemma reported that a buffer overflow condition exists in version QuickTime 7.3.1. According to Auriemma’s advisory, the problem is a buffer-overflow, which happens during the handling of the HTTP error message and its visualization in the LCD-like screen that contains info about the status of the connection.
The buffer overflow could lead to arbitrary code execution or a denial of service attacker (DoS), he said.
To exploit the vulnerability, an attacker can connect via an RTSP (Real Time Streaming Protocol) link to trigger the error leading to the buffer overflow. As well as posting a public advisory on the issue, Auriemma provided a proof-of-concept for execution of the flaw.
Auriemma offers no suggestion for how to fix the problem, which is currently unpatched by Apple. Security firm Secunia rated the issue as being “highly critical” and US-CERT has issued a vulnerability note warning about the vulnerability. US-CERT provides two options for QuickTime users about how to protect themselves.
The first option suggested by US-CERT is to actually uninstall QuickTime until an update is available from Apple. US-CERT notes, however, that uninstalling QuickTime will affect applications like iTunes that rely on the software, causing them to fail to run or run only with limited functionality.
The other suggestion that US-CERT offers is to block the rtsp:// protocol with proxy or firewall rules.
Apple’s Quick Time 7.3.1 is not even a month old, having been
released in mid-December. That version itself came as a security fix
related to another vulnerability that used RTSP to exploit QuickTime.
That particular flaw had been the subject of US-CERT Technical
Cyber Alert in November.
Apple’s QuickTime troubles in 2007 also began early in the year. In the first week of January 2007, Apple was greeted by an initiative called “The Month of Apple Bugs” (MOAB), during which security experts highlighted flaws in the company’s software. One the first bugs reported by that effort was one that also utilized QuickTime and RTSP.