QuickTime RTSP Vulnerability Proof-of-concept Surfaces
QuickTime RTSP Vulnerability Proof-of-concept Surfaces
by , 4:50 PM EST, November 29th, 2007
A few days after a flaw was discovered in the QuickTime handling of the Real Time Streaming Protocol (RTSP), researchers have been able to craft a proof-of-concept exploit, according to Computerworld on Thursday.
"This particular exploit can cause remote code execution through the QuickTime RTSP protocol vulnerability on Microsoft Windows and Apple systems," Symantec said. "This is the first working exploit for Apple systems that we have observed."
The appearance of a proof-of-concept exploit at the site milw0rm.com has be characterized as a "tripwire" by Symantec. "Once we see something in Metasploit, we know it's likely we'll see it used in attacks," Alfred Huger, vice president of engineering with Symantec's security response group said last summer.
The proof-of-concept works on Intel or PPC Macs running Tiger or Leopard with QuickTime 7.2 or 7.3 (It also affects Windows XP SP2.) Symantec explained how it might work along with some preventive measures.
Apple has not yet published a fix.
Observer Comments
"If the client is using Internet Explorer, the shell code is written to a heap area for later use."
"If QuickTime ActiveX controls in Internet Explorer and plug-ins in Firefox are disabled, the exploit will not work."
NOWHERE does this article say ANYTHING about Macs being affected.
Of course Symantec recommends: "Symantec antivirus products with the latest definitions will detect this threat as Trojan.Quimkids."
/cough
Thu Nov 29, 2007 7:47 pm Subject: Mac vulnerability
From the original CW article, linked in the first paragraph...
"But even though analysts confirmed on Monday that Mac OS X versions of QuickTime 7.2 and later are also vulnerable, it took several more days for other researchers to craft a reliable exploit."
...
"According to the proof-of-concept, the Metasploit module works on Intel- and PowerPC-based Macs running either Mac OS X 10.4 (Tiger) or 10.5 (Leopard). It also executes on PCs running Windows XP SP2."
Fri Nov 30, 2007 9:11 am Subject: Dig Your Own Hole
Quotedaemon wrote:
Another Apple security hole. Where exactly does the "designed for security from the ground up" come into play with Apple's software?
The same way that a car designed for safety can still have faults?? The Unix basis of OS X is fundamentally a better model than classic Mac OS, or Windows. Mac OS system 9 closed the gap considerably, as did XP SP2 and Vista on Windows, but neither of those systems had been designed as a secure networked system in the first place.
Which isn't to defend them in this case - Quicktime seems to be the single most insecure piece of software Apple have produced.
Fri Nov 30, 2007 10:00 am Subject:
Fri Nov 30, 2007 10:56 am Subject: It doesn't work in Safari?
Comments are currently closed. Please email the author instead.
Recent Headlines - Updated November 8th
- Sat, 7:58 PM
- News - Apple TV 3.0.1 Update Fixes Missing Content Bug
- Fri, 7:45 PM
- Rumor - Taiwan Leak Shows Verizon UTMS/CDMA iPhone for Q3 2010
- 6:40 PM
- News - iPhone Moves Into RadioShack
- 6:30 PM
- News - Apple to Open Stunning Paris Apple Store in Le Louvre on Saturday
- 5:43 PM
- Free on iTunes - Dictionary, Dictionary, Dictionary, And More
- 4:09 PM
- John Martellaro's Blog - Particle Debris (week ending 11/6) Failure IS an Option
- 3:32 PM
- Games - The Latest App Store Games: Gravity Sling, RocketBird, Ground Effect, Checkers!
- 2:25 PM
- Games - Star Soccer 2010 for Mac Puts Gamers in Role of Up-and-Coming Player
- 2:15 PM
- How-To - The Mysteries of Rosetta Housekeeping
- 1:33 PM
- News - iPhone Game Developer Sued for Collecting User’s Cell Numbers
- 1:17 PM
- Games - Warhammer Online Expands Trial Play Option
- 11:19 AM
- Rumor - Apple May Be Bringing RFID to the iPhone
The Mac Observer Reader Specials
- TypeStyler For Mac OS X is Now Shipping! Download The Free Fully Functional 60 Day Tryout at www.typestyler.com
RamJet Memory: Mac Pro 8-core 8GB Kit $199.99, 4GB Kits $109.99! Sale on MacBook and MacBook Pro 8GB kits $549.99! New MacBook DDR3 2GB for $49.99. iMac and Mac mini 4GB Kits for $79.99! 1TB SATA Hard Drives for $109.99! Click here
OWC: Get the Right Memory for Your Mac Top Quality, Competitive Price, Lifetime Backed Free Expert Support + Installation Videos too! MacBook & mini 8GB, iMac 16GB, Mac Pro up to 32GB. Click here
If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!For the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
