You are here: Home / Computing / Zero-Day QuickTime Hack Emerges
New Zero-Day QuickTime Vulnerability Emerges
New Zero-Day QuickTime Vulnerability Emerges
By Richard Koman / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Apple's QuickTime is vulnerable to malware disguised as streaming video, and attack code has been published on the milw0rm.com Web site, Relevant Products/Services researchers have warned. So far, while the vulnerability affects Windows XP and Windows Vista, the jury is still out on whether Apple's own OS X is affected.

Apple programmers apparently made two mistakes. First, according to the U.S. Computer Emergency Readiness Team, QuickTime versions 7.2 and 7.3, and perhaps earlier versions, contain a buffer-overflow bug. "Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header," US-CERT said. "This vulnerability may be exploited by convincing a user to connect to a specially crafted RTSP stream."

RTSP is the Real-Time Streaming Protocol, which QuickTime supports. When users click on a link for a malicious RTSP stream, an attacker might be able to execute arbitrary code on the compromised system, US-CERT said.

Apple's popular iTunes Relevant Products/Services uses QuickTime, so the risk could be quite widespread. While attack code has been published, no actual in-the-wild attacks have been reported.

Mitigating the Risk

There are no direct solutions to such attacks prior to Apple issuing a patch, but US-CERT recommended several practical steps to reduce the risk of attack, including blocking RTSP, disabling the QuickTime ActiveX component for Internet Explorer and QuickTime plug-in for Mozilla, and disabling JavaScript. Finally, US-CERT recommended that users simply not access streaming QuickTime from untrusted sources.

Symantec offered some additional recommendations for Relevant Products/Services administrators. Enterprises should deploy intrusion-detection systems to monitor network Relevant Products/Services for malicious activity or signs of anomalous activity, the security firm said. Administrators should be on the lookout especially for unexplained incoming and outgoing traffic.

In addition, Symantec said, administrators should run all software as nonprivileged users with minimal access rights and implement multiple redundant layers of security. Symantec also said that "various memory-Relevant Products/Services schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code."

Vista Security Scheme

Windows Vista contains just such a memory-protection scheme, called Address Space Layout Randomization (ASLR), which randomly assigns application and data components to memory, making it much more difficult for hackers to cause buffer-overflow errors. However, Apple programmers failed to enable ASLR addressing, so a Relevant Products/Services running QuickTime on Vista is no more secure than a machine running Windows XP. "This makes reliable exploitation of the vulnerability a lot easier," Symantec analyst Anthony Roe said.

But don't be too quick to blame Apple, Andrews Storms, director of security operations at nCircle, said in an e-mail. "It appears that Microsoft may have implemented this feature in a poor manner," Storms said. "If programmers are required to code their application differently, then it's not Apple's programmers who are at fault for not using ASLR, but Microsoft for not enforcing and making this feature a default behavior of all applications."

Users and administrators can count on seeing more exploits of QuickTime and iTunes, Storms said. "Hackers will continue to target cross-platform media applications because it's what most users use on the Web; and there is a greater likelihood that a successful attack on Windows can be easily transformed for Apple. Both iTunes and QuickTime fall into this category and have been favorite haunts for hackers for some time now," he said.

Apple updated QuickTime to version 7.3 just three weeks ago, addressing a much-publicized TIFF bug, as well as issues with Java support.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter

Following last month’s reports that Russians hacked into U.S. government computer systems, the exact method of the security breach is now being revealed.

© Copyright 2015 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.