Exploit Code Out for Windows, Mac QuickTime Flaw

An extremely critical Apple QuickTime flaw can enable malware attacks on Windows and Mac OS X systems.

Exploit code is out for an extremely critical Apple QuickTime flaw that affects Windows and Mac OS X systems, and researchers say attacks are likely soon to follow.

The vulnerability, found in the way QuickTime processes RTSP (Real Time Streaming Protocol) replies, can lead to remote attackers hijacking vulnerable systems. This proof of concept code was posted on Nov. 23 by security researcher Krystian Kloskowski.

The flaw, caused by a boundary error when processing RTSP replies, can be exploited to cause a stack-based buffer overflow if an attacker sends a rigged audio-streaming file that contains an overly long Content Type header. Otherwise, an attacker can successfully exploit the vulnerability by modifying an existing program to listen for RTSP requests and to respond with malicious code.

That malicious file would contain arbitrary data, memory addresses, and executable machine code designed to perform some action on the attackers behalf, according to a Nov. 24 security advisory Symantec sent to clients who subscribe to its DeepSight Alert Services.

RTSP, a protocol used in streaming media systems, allows a client to remotely control a streaming media server with commands such as "play" and "pause" and also allows time-based access to files on a server.


Click here to read about an Apple Mail flaw affecting Mac OS X Leopard.

According to Symantec, QuickTime Player 7.3 is affected by this vulnerability. As of Nov. 26, it hadnt yet been determined whether other versions are affected as well.

To exploit the issue, an attacker has to lure an unsuspecting user to connect to a malicious RTSP server.

Apple had not responded to requests for input by the time this article posted. In lieu of a patch, Symantec is advising users to mitigate the potential danger by deploying network intrusion detection systems to monitor network traffic for malicious activity. Symantec is also advising users to use NIDS (network intrusion detection system) to monitor network traffic for signs of anomalous or suspicious activity, including but not limited to requests that include NOP (no operation) sleds and unexplained incoming and outgoing traffic.

A NOP sled, aka NOP slide, is a sequence of NOP instructions meant to "slide" the CPUs instruction execution flow to a final, desired destination.

Symantec is also advising that all software be set to run as a nonprivileged user with minimal access rights. Also, to limit the effects of a successful compromise, run all client software with the least privileges required to function.

And as always, dont follow links from strangers or untrusted sources, stay out of questionable sites, and dont touch files from unknown sources.

Symantec is also advising users to use memory-protection schemes to trip up an attackers ability to exploit the vulnerability by executing arbitrary code. That includes nonexecutable and randomly mapped memory segments.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.