Apple's QuickTime is vulnerable to malware disguised as streaming video, and attack code has been published on the milw0rm.com Web site, security researchers have warned. So far, while the vulnerability affects Windows XP and Windows Vista, the jury is still out on whether Apple's own OS X is affected.
Apple programmers apparently made two mistakes. First, according to the U.S. Computer Emergency Readiness Team, QuickTime versions 7.2 and 7.3, and perhaps earlier versions, contain a buffer-overflow bug. "Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header," US-CERT said. "This vulnerability may be exploited by convincing a user to connect to a specially crafted RTSP stream."
RTSP is the Real-Time Streaming Protocol, which QuickTime supports. When users click on a link for a malicious RTSP stream, an attacker might be able to execute arbitrary code on the compromised system, US-CERT said.
Apple's popular iTunes software uses QuickTime, so the risk could be quite widespread. While attack code has been published, no actual in-the-wild attacks have been reported.
Mitigating the Risk
Symantec offered some additional recommendations for network administrators. Enterprises should deploy intrusion-detection systems to monitor network traffic for malicious activity or signs of anomalous activity, the security firm said. Administrators should be on the lookout especially for unexplained incoming and outgoing traffic.
In addition, Symantec said, administrators should run all software as nonprivileged users with minimal access rights and implement multiple redundant layers of security. Symantec also said that "various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code."
Vista Security Scheme
Windows Vista contains just such a memory-protection scheme, called Address Space Layout Randomization (ASLR), which randomly assigns application and data components to memory, making it much more difficult for hackers to cause buffer-overflow errors. However, Apple programmers failed to enable ASLR addressing, so a machine running QuickTime on Vista is no more secure than a machine running Windows XP. "This makes reliable exploitation of the vulnerability a lot easier," Symantec analyst Anthony Roe said.
But don't be too quick to blame Apple, Andrews Storms, director of security operations at nCircle, said in an e-mail. "It appears that Microsoft may have implemented this feature in a poor manner," Storms said. "If programmers are required to code their application differently, then it's not Apple's programmers who are at fault for not using ASLR, but Microsoft for not enforcing and making this feature a default behavior of all applications."
Users and administrators can count on seeing more exploits of QuickTime and iTunes, Storms said. "Hackers will continue to target cross-platform media applications because it's what most users use on the Web; and there is a greater likelihood that a successful attack on Windows can be easily transformed for Apple. Both iTunes and QuickTime fall into this category and have been favorite haunts for hackers for some time now," he said.
Apple updated QuickTime to version 7.3 just three weeks ago, addressing a much-publicized TIFF bug, as well as issues with Java support.