Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Applications / Zero-Day QuickTime Hack Emerges
New Zero-Day QuickTime Vulnerability Emerges
New Zero-Day QuickTime Vulnerability Emerges
By Richard Koman / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Apple's QuickTime is vulnerable to malware disguised as streaming video, and attack code has been published on the Web site, security researchers have warned. So far, while the vulnerability affects Windows XP and Windows Vista, the jury is still out on whether Apple's own OS X is affected.

Apple programmers apparently made two mistakes. First, according to the U.S. Computer Emergency Readiness Team, QuickTime versions 7.2 and 7.3, and perhaps earlier versions, contain a buffer-overflow bug. "Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header," US-CERT said. "This vulnerability may be exploited by convincing a user to connect to a specially crafted RTSP stream."

RTSP is the Real-Time Streaming Protocol, which QuickTime supports. When users click on a link for a malicious RTSP stream, an attacker might be able to execute arbitrary code on the compromised system, US-CERT said.

Apple's popular iTunes software uses QuickTime, so the risk could be quite widespread. While attack code has been published, no actual in-the-wild attacks have been reported.

Mitigating the Risk

There are no direct solutions to such attacks prior to Apple issuing a patch, but US-CERT recommended several practical steps to reduce the risk of attack, including blocking RTSP, disabling the QuickTime ActiveX component for Internet Explorer and QuickTime plug-in for Mozilla, and disabling JavaScript. Finally, US-CERT recommended that users simply not access streaming QuickTime from untrusted sources.

Symantec offered some additional recommendations for network administrators. Enterprises should deploy intrusion-detection systems to monitor network traffic for malicious activity or signs of anomalous activity, the security firm said. Administrators should be on the lookout especially for unexplained incoming and outgoing traffic.

In addition, Symantec said, administrators should run all software as nonprivileged users with minimal access rights and implement multiple redundant layers of security. Symantec also said that "various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code."

Vista Security Scheme

Windows Vista contains just such a memory-protection scheme, called Address Space Layout Randomization (ASLR), which randomly assigns application and data components to memory, making it much more difficult for hackers to cause buffer-overflow errors. However, Apple programmers failed to enable ASLR addressing, so a machine running QuickTime on Vista is no more secure than a machine running Windows XP. "This makes reliable exploitation of the vulnerability a lot easier," Symantec analyst Anthony Roe said.

But don't be too quick to blame Apple, Andrews Storms, director of security operations at nCircle, said in an e-mail. "It appears that Microsoft may have implemented this feature in a poor manner," Storms said. "If programmers are required to code their application differently, then it's not Apple's programmers who are at fault for not using ASLR, but Microsoft for not enforcing and making this feature a default behavior of all applications."

Users and administrators can count on seeing more exploits of QuickTime and iTunes, Storms said. "Hackers will continue to target cross-platform media applications because it's what most users use on the Web; and there is a greater likelihood that a successful attack on Windows can be easily transformed for Apple. Both iTunes and QuickTime fall into this category and have been favorite haunts for hackers for some time now," he said.

Apple updated QuickTime to version 7.3 just three weeks ago, addressing a much-publicized TIFF bug, as well as issues with Java support.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.