Exploit Code Out for Windows, Mac QuickTime Flaw

By Lisa Vaas  |  Posted 2007-11-26 Print this article Print

An extremely critical Apple QuickTime flaw can enable malware attacks on Windows and Mac OS X systems.

Exploit code is out for an extremely critical Apple QuickTime flaw that affects Windows and Mac OS X systems, and researchers say attacks are likely soon to follow. The vulnerability, found in the way QuickTime processes RTSP (Real Time Streaming Protocol) replies, can lead to remote attackers hijacking vulnerable systems. This proof of concept code was posted on Nov. 23 by security researcher Krystian Kloskowski. The flaw, caused by a boundary error when processing RTSP replies, can be exploited to cause a stack-based buffer overflow if an attacker sends a rigged audio-streaming file that contains an overly long Content Type header. Otherwise, an attacker can successfully exploit the vulnerability by modifying an existing program to listen for RTSP requests and to respond with malicious code.
That malicious file would contain arbitrary data, memory addresses, and executable machine code designed to perform some action on the attackers behalf, according to a Nov. 24 security advisory Symantec sent to clients who subscribe to its DeepSight Alert Services.
RTSP, a protocol used in streaming media systems, allows a client to remotely control a streaming media server with commands such as "play" and "pause" and also allows time-based access to files on a server. Click here to read about an Apple Mail flaw affecting Mac OS X Leopard. According to Symantec, QuickTime Player 7.3 is affected by this vulnerability. As of Nov. 26, it hadnt yet been determined whether other versions are affected as well. To exploit the issue, an attacker has to lure an unsuspecting user to connect to a malicious RTSP server. Apple had not responded to requests for input by the time this article posted. In lieu of a patch, Symantec is advising users to mitigate the potential danger by deploying network intrusion detection systems to monitor network traffic for malicious activity. Symantec is also advising users to use NIDS (network intrusion detection system) to monitor network traffic for signs of anomalous or suspicious activity, including but not limited to requests that include NOP (no operation) sleds and unexplained incoming and outgoing traffic. A NOP sled, aka NOP slide, is a sequence of NOP instructions meant to "slide" the CPUs instruction execution flow to a final, desired destination. Symantec is also advising that all software be set to run as a nonprivileged user with minimal access rights. Also, to limit the effects of a successful compromise, run all client software with the least privileges required to function. And as always, dont follow links from strangers or untrusted sources, stay out of questionable sites, and dont touch files from unknown sources. Symantec is also advising users to use memory-protection schemes to trip up an attackers ability to exploit the vulnerability by executing arbitrary code. That includes nonexecutable and randomly mapped memory segments. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel