News & Information for Technology Purchasers NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
You are here: Home / Apple/Mac / Zero-Day QuickTime Hack Emerges
Next Generation Data Center Is Here!
New Zero-Day QuickTime Vulnerability Emerges
New Zero-Day QuickTime Vulnerability Emerges
By Richard Koman / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
NOVEMBER
26
2007



Apple's QuickTime is vulnerable to malware disguised as streaming video, and attack code has been published on the milw0rm.com Web site, security researchers have warned. So far, while the vulnerability affects Windows XP and Windows Vista, the jury is still out on whether Apple's own OS X is affected.

Apple programmers apparently made two mistakes. First, according to the U.S. Computer Emergency Readiness Team, QuickTime versions 7.2 and 7.3, and perhaps earlier versions, contain a buffer-overflow bug. "Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header," US-CERT said. "This vulnerability may be exploited by convincing a user to connect to a specially crafted RTSP stream."

RTSP is the Real-Time Streaming Protocol, which QuickTime supports. When users click on a link for a malicious RTSP stream, an attacker might be able to execute arbitrary code on the compromised system, US-CERT said.

Apple's popular iTunes software uses QuickTime, so the risk could be quite widespread. While attack code has been published, no actual in-the-wild attacks have been reported.

Mitigating the Risk

There are no direct solutions to such attacks prior to Apple issuing a patch, but US-CERT recommended several practical steps to reduce the risk of attack, including blocking RTSP, disabling the QuickTime ActiveX component for Internet Explorer and QuickTime plug-in for Mozilla, and disabling JavaScript. Finally, US-CERT recommended that users simply not access streaming QuickTime from untrusted sources.

Symantec offered some additional recommendations for network administrators. Enterprises should deploy intrusion-detection systems to monitor network traffic for malicious activity or signs of anomalous activity, the security firm said. Administrators should be on the lookout especially for unexplained incoming and outgoing traffic.

In addition, Symantec said, administrators should run all software as nonprivileged users with minimal access rights and implement multiple redundant layers of security. Symantec also said that "various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code."

Vista Security Scheme

Windows Vista contains just such a memory-protection scheme, called Address Space Layout Randomization (ASLR), which randomly assigns application and data components to memory, making it much more difficult for hackers to cause buffer-overflow errors. However, Apple programmers failed to enable ASLR addressing, so a machine running QuickTime on Vista is no more secure than a machine running Windows XP. "This makes reliable exploitation of the vulnerability a lot easier," Symantec analyst Anthony Roe said.

But don't be too quick to blame Apple, Andrews Storms, director of security operations at nCircle, said in an e-mail. "It appears that Microsoft may have implemented this feature in a poor manner," Storms said. "If programmers are required to code their application differently, then it's not Apple's programmers who are at fault for not using ASLR, but Microsoft for not enforcing and making this feature a default behavior of all applications."

Users and administrators can count on seeing more exploits of QuickTime and iTunes, Storms said. "Hackers will continue to target cross-platform media applications because it's what most users use on the Web; and there is a greater likelihood that a successful attack on Windows can be easily transformed for Apple. Both iTunes and QuickTime fall into this category and have been favorite haunts for hackers for some time now," he said.

Apple updated QuickTime to version 7.3 just three weeks ago, addressing a much-publicized TIFF bug, as well as issues with Java support.

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY BE OF INTEREST
IT departments are embracing cloud backup, but there's a lot you need to know before choosing a service provider. Learn all the critical things you need to know by accessing the white paper, "5 Things You Didn't Know About Cloud Backup". Access the White Paper now.
MORE IN APPLE/MAC
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Dairy Queen Latest Retailer To Report Hack
Known for its hot fries and soft-serve ice cream, Dairy Queen just made cyber history as the latest victim of a hack attack. The fast food chain said that customer data at some stores may be at risk.
 
Lessons from the JPMorgan Chase Cyberattack
JPMorgan Chase is investigating a likely cyberattack. The banking giant is cooperating with law enforcement, including the FBI, to understand what data hackers may have obtained.
 
Who Is the Hacker Group Lizard Squad?
Are they dangerous or just obnoxious? That’s what many are wondering about the hacker group Lizard Squad, which tweeted out a bomb threat that grounded a flight with a Sony exec aboard.
 

Enterprise Hardware Spotlight
Intel Intros Lightning-Fast PC Processors
Call it extreme. Intel just took the covers off its first-ever eight-core desktop processor, which is aimed at hardcore power users who expect more than the status quo from their computers.
 
HP Previews ProLiant Gen9 Data Center Servers
Because traditional data center and server architectures are “constraints” on businesses, HP is releasing new servers aimed at faster, simpler and more cost-effective delivery of computing services.
 
Apple Set To Release Largest iPad Ever
Tech giant Apple seems to have adopted the mantra “go big or go home.” The company is planning to introduce its largest iPad ever: a 12.9-inch behemoth that will dwarf its largest existing models.
 

Mobile Technology Spotlight
iWatch Watch: What Will Apple Ask Us To Wear?
There are still more questions than answers when it comes to details about the smart watch Apple seems poised to debut on Sept. 9. In fact, nobody seems completely sure that it will be a smart watch at all.
 
Samsung Maps Its Way with Nokia's 'Here' App for Galaxy Phones
Korean electronics giant Samsung has opted to license Here, Nokia’s mapping app -- formerly known as Nokia Maps -- for its Tizen-powered smart devices and Samsung Gear S wearable.
 
Google Successfully Tests Its Own Delivery Drone
While top technology companies are engaged in an "arms race" to develop drones that can quickly deliver goods to anyone anywhere, Google has revealed it successfully tested its own version.
 

Navigation
NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | CRM Systems | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.