X
Business

NIST reports "highly critical vulnerability" in QuickTime

NIST (National Institute of Standards and Technology) reports that a "Highly Critical" vulnerability exists in the Apple QuickTime handling of rtsp:// URLs. The exploit causes a stack-based buffer overflow that can lead to remote arbitrary code execution.
Written by Russell Shaw, Contributor

NIST (National Institute of Standards and Technology) reports that a "Highly Critical" vulnerability exists in the Apple QuickTime handling of rtsp:// URLs. The exploit causes a stack-based buffer overflow that can lead to remote arbitrary code execution. The vulnerability affects both the Windows and Apple OS X versions.

This should be of key interest to rich media content creators that use QuickTime. 

Here's what they say is going on: 

The malicious URL can be accessed by clicking on a supplied rtsp:// link or by visiting a web page that embeds such a link using HTML or Javascript. The bug is caused by the way QuickTime implements the media streaming communications standard RTSP (Real Time Streaming Protocol). Proof of Concept code has been released for both the Windows and Apple OS X (Intel) platforms so it is probably already being exploited.

Unfortunately, NIST says the only way to mitigate risk is to disable the rtsp:// URL handler or uninstall QuickTime.

By the way, expect more such reports. NIST says release of this vulnerability is part of the "Month of Apple Bugs" project.

"This group will be releasing a significant Apple security vulnerability each day in January," NIST says. "If your organization is not managing patches of 3rd party applications and the OS X computers its time to start.

 

Editorial standards