QuickTime 7 Vulnerability

the Month of Apple Bugs website posted their first vulnerability for this month, and it affects Windows as well, BAM!! KAPOW!! The double whammy. I’m sure the message boards will be heated up, my OS is better than your OS, can’t we all just get along?

The following description of the software is provided by vendor (Apple):

QuickTime 7 makes the future of video crystal clear with new features including user-friendly controls and pristine H.264 video. Upgrade to QuickTime 7 Pro and capture your own movies, then share them with friends and family via email or .Mac.

A vulnerability exists in the handling of the rtsp:// URL handler. By supplying a specially crafted string (rtsp:// [random] + colon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, JavaScript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition. Source: the Month of Apple Bugs

From Cnet, QuickTime zero-day bug threatens Macs, PCs,

“The risk is having your system compromised by a remote attacker, who can perform any operation under privileges of your user account,” said LMH, the alias of one of the two security researchers behind the Month of the Apple Bugs. “It can be triggered via JavaScript, Flash, common links, QTL files and any other method that starts QuickTime.”

The vulnerability affects QuickTime 7.1.3, the latest version of the media player software released in September, on both Apple Mac OS X and Microsoft Windows, according to the Month of the Apple Bugs advisory. Previous versions could also be vulnerable, according to the advisory.

Security-monitoring companies Secunia and the French Security Incidence Response Team, or FrSIRT, rate the QuickTime flaw as “highly critical” and “critical,” respectively. Source: News.com

As usual, this will be more dangerous to Windows users, as most users run under administrator accounts, Apple has not released any info on when a patch could be released.

They released the second vulnerability today, they are promising one a day,

A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC.

This issue has been successfully exploited in VLC version 0.8.6 for Mac OS X. Previous versions and other platforms might be affected (thanks to David Maynor for confirming the issue in the Microsoft Windows version). Source: VLC Media Player udp:// Format String Vulnerability

The poster with the handle LMH and independent researcher Kevin Finisterre say a positive side effect will, probably, be a more concerned user base and better practices from Apple management. Makes for interesting reading at least, although this QuickTime vulnerability could affect a large percentage of the internet, especially Windows users.