QuickTime Exploit Greets ‘Month of Apple Bugs’

UPDATED: A quick and easy exploit of a flaw in Apple’s QuickTime application may have
Mac and Windows users beginning the New Year with a fresh round of security
concerns. The exploit kicks off the Month of Apple Bugs (MOAB) project, the goal of which is to reveal problems with the Mac OS X operating system before informing
vendors.

A problem in how QuickTime handles URLs could pose a risk, according to MOAB, which described the vulnerability as being “trivial” to exploit and
released code displaying “Happy New Year” on systems running QuickTime and
QuickTime Player versions 7.13 and earlier.

Apple was not immediately available for comment.

Using the flaw in how QuickTime handles the “rtsp://” URL, a
specially crafted string could overflow a stack’s buffer, “leading to an
exploitable remote arbitrary code execution condition,” according to the MOAB bulletin.

The bulletin said users have only two options to avoid the flaw:
“uninstalling Quicktime or simply live with the feeling of being a potential
target.”

A security error in an application is “absolutely potentially more
serious” than one involving just the operating system, according to Andrew
Jaquith, a Yankee Group security analyst. QuickTime is frequently used by
both Mac and Windows users.

The group announced an exploit, explaining it preferred to release the security
vulnerability prior to notifying vendors.

Traditionally, security vendors first alert vendors and then the public, allowing
companies to learn of a problem before a vulnerability is widely disclosed.
Eeye Digital Security, for instance, publishes the date a problem was
reported, as well as when a fix was released.

“The problem with so-called ‘responsible disclosure’ is that for some
people, it means keeping others on hold for insane amounts of time, even
when the fix should be trivial,” the group explained.

Releasing exploits before notifying vendors is “irresponsible,” Jaquith
said.

The MOAB project is similar to other projects, such as the
Month of
Kernel Bugs
, which exposed a flaw in Broadcom’s wireless driver, and the
Month of Browser
Bugs
, which began with an Internet Explorer vulnerability.

Not since another security group threatened to launch a month of Oracle bugs,
has an effort concentrated on one vendor, said Jaquith.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web