Apple QuickTime zero-day flaw 'extremely critical'

Apple QuickTime zero-day flaw 'extremely critical'

Summary: Working exploit code, allowing remote control of an affected system, is in the wild for a flaw in the latest versions of QuickTime, Secunia has said

SHARE:
TOPICS: Security
0

Security research firm Secunia has reported what it calls an "extremely critical" vulnerability in media-streaming program Apple QuickTime.

The flaw, which affects the latest versions of QuickTime, 7.x, has not been patched and could allow a hacker to gain remote control of an affected system. It lies in a boundary error, when the program processes Real Time Streaming Protocol (RTSP) replies, according to Secunia's advisory, published on Monday. RTSP allows a client to remotely control video streams.

Working exploit code is in the wild, said Secunia, which linked from its advisory to details of the code on another security research site, milw0rm, which is where the vulnerability was initially recorded by Polish security researcher Krystian Kloskowski.

According to Kloskowski, exploit code can be executed on Windows Vista operating systems and systems running Microsoft XP Service Pack 2.

Secunia is advising that users do not browse untrusted websites, follow untrusted links, or open untrusted QuickTime Media Link files.

Elia Florio, a security researcher for Symantec, wrote on Symantec's Security Response Weblog that some QuickTime browser plug-ins appear to prevent any shell code being executed.

With Internet Explorer versions 6 and 7, and the Safari 3 beta, the attack appears to be prevented because standard buffer overflow prevention processes act before any damage can be done, Florio wrote. With Firefox, the QuickTime RTSP response is unmoderated. As a result, the exploit works against Firefox if QuickTime is the default multimedia player, according to Florio.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion