Another QuickTime code execution flaw surfaces

Summary:A security researcher has unearthed a buffer overflow remote code execution vulnerability that affects QuickTime on both the Windows and Mac platform.The flaw was published Thursday by Luigi Auriemma, who has been busy of late, is the latest in a series of QuickTime issues.

A security researcher has unearthed a buffer overflow remote code execution vulnerability that affects QuickTime on both the Windows and Mac platform.

The flaw was published Thursday by Luigi Auriemma, who has been busy of late, is the latest in a series of QuickTime issues. Will someone at Apple get us rewrite already?

The QuickTime vulnerability thus far is unpatched. Here are the details courtesy of Auriemma:

The problem is a buffer-overflow which happens during the filling of the LCD-like screen containing info about the status of the connection.

For exploiting this vulnerability is only needed that an user follows a rtsp:// link, if the port 554 of the server is closed Quicktime will automatically change the transport and will try the HTTP protocol on port 80, the 404 error message of the server (other error numbers are valid too) will be visualized in the LCD-like screen.

During my tests I have been able to fully overwrite the return address anyway note that the visible effects of the vulnerability could change during the usage of the debugger (in attaching mode it's everything ok).

The vulnerability impacts versions 7.3.1.70 and lower. Ryan Naraine reports that Symantec DeepInsight has confirmed the vulnerability.

And U.S. CERT has added in a post:

The flaw is in the way that QuickTime handles Real Time Streaming Protocol (RTSP) URL strings. By persuading a user to access a specially crafted QuickTime file, or RTSP stream, a remote attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system.

Topics: Hardware, Mobility, Security

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.