Apple QuickTime zero-day flaw 'extremely critical'

Security research firm Secunia has reported what it calls an "extremely critical" vulnerability in media-streaming program Apple QuickTime.

The flaw, which affects the latest versions of QuickTime, 7.x, has not been patched and could allow a hacker to gain remote control of an affected system. It lies in a boundary error, when the program processes Real Time Streaming Protocol (RTSP) replies, according to Secunia's advisory, published on Monday. RTSP allows a client to remotely control video streams.

Working exploit code is in the wild, said Secunia, which linked from its advisory to details of the code on another security research site, milw0rm, which is where the vulnerability was initially recorded by Polish security researcher Krystian Kloskowski.

According to Kloskowski, exploit code can be executed on Windows Vista operating systems and systems running Microsoft XP Service Pack 2.

Secunia is advising that users do not browse untrusted websites, follow untrusted links, or open untrusted QuickTime Media Link files.

Elia Florio, a security researcher for Symantec, wrote on Symantec's Security Response Weblog that some QuickTime browser plug-ins appear to prevent any shell code being executed.

With Internet Explorer versions 6 and 7, and the Safari 3 beta, the attack appears to be prevented because standard buffer overflow prevention processes act before any damage can be done, Florio wrote. With Firefox, the QuickTime RTSP response is unmoderated. As a result, the exploit works against Firefox if QuickTime is the default multimedia player, according to Florio.