QuickTime Flaw Reported

January 2, 2007 4:01pm CST
According to a report posted on the Month of Apple Bugs (MoAB) site there is a flaw in Apple Quicktime, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error when handling RTSP URLs. This can be exploited to cause a stack-based buffer overflow via a specially crafted QTL file with an overly long (more than 256 bytes) "src" parameter (e.g. "rtsp://[any character]:[256 bytes]"). The flaw affects any Windows or Mac OS X bug with QuickTime Player version 7.1.3 installed; previous versions are also probably vulnerable. The flaw was discovered by LMH, a MOAB organizer who hasn't disclosed his name. "The risk is having your system compromised by a remote attacker, who can perform any operation under privileges of your user account," said LMH. Security monitoring companies Secunia rated the QuickTime flaw as "highly critical" which means that successful exploitation does not normally require any interaction but there are no known exploits available at the time of disclosure. The Month of Apple Bugs (MoAB) project which will announce a new security vulnerability in Apple's operating system or other Mac OS X software each day in January, is a follow-on to November's "Month of Kernel Bugs" campaign. The project it was inspired by an earlier effort, called the Month of Browser Bugs, which was kicked off in July.
No responses