So far, there is no reported patch for the vulnerability, known as a buffer overflow error, which affects versions 7.3.1.70 and lower running on both Windows and Mac operating systems.
The error can be found in the way that QuickTime handles Real Time Streaming Protocol Response message headers, which occur during the filling of the LCD-like screen containing information about connection status.
A remote attacker could potentially exploit the vulnerability by persuading a user to access a specially crafted QuickTime file, or RTSP stream, connect to a malicious server or visit a specially crafted Web page, in order to execute arbitrary code that could take complete control or cause a DoS attack on an affected system.
The U.S. Computer Emergency Readiness Team posted an alert on its site Thursday, warning users about the potential threat. The flaw was also given a "critical" ranking by the French Security Incident Response Team, meaning that the vulnerability could be exploited remotely. So far, there are no reports that the exploit is active and "loose in the wild."
However, this error is not new to QuickTime Player and experts say it could be a matter of time before an active exploit is created. The vulnerability, which was first detected Dec. 13, 2007, was recently made public by Italian security researcher Luigi Auriemma.
Some security experts remain skeptical about proof of concept exploits, maintaining that they often give criminals a ready-made map for an actual, "in the wild" attack.
"This is a questionable practice," said David Perry, global director of education at Trend Micro. "Frequently the code that was found in the proof of concept shows up in a criminal attack."
"It's like firing the starting gun for the criminals," Perry added.
Perry said that Apple QuickTime Player will likely become an even bigger target for attackers because of its global popularity and potential to affect millions of users.
The flaw is the latest in a series of bugs that QuickTime has had to address. Polish researcher Krystian Kloskowski detected another QuickTime stack-based buffer overflow error November 2007, which affected version 7.3. Attackers shortly thereafter targeted the flaw with an active, "in-the-wild" exploit.
- Juniper Honors 12 Americas Partners
- Facebook And Four More Web Sites We Love To Hate
- Cisco Honors Top Partners During 2010 Partner Summit
- HP Salutes Top Partners At APC 2010 Award Show
- Upclose And Personal With AMD And friends
- Will Oracle's Phillips' Affair Revelation Be A Distraction?
- Apple, Microsoft Unlikely Allies Against Google
- HP-Microsoft Cloud Partnership Needs To Show Us The Goods
- Blog: It's Time For A Cybercrime Public Service Announcement
- Nortel Sell-Off Continues: Ethernet Business To Ciena?
- Want To Deploy Exchange 2007 SP2 In A Server 2008 R2 Domain? Sorry
- Apple Improves iTunes 9 With Syncing, Visual Enhancements
- Oracle Ad Refutes Sun Hardware Fears
- U.S. Copyright Chief Rips Google Book Deal In Testimony
- Apple Slashes iPod Price Tags
- Price Is Right? Asus To Launch Low-Cost E-Reader
- Microsoft Xbox 360 Consoles Fail More Often Than Wii, PS3
- Privacy Group To Congress: Stop Online Advertisers In Their Tracks
- Microsoft, Intel Tout Their Collaboration On Windows 7
- Tech Data Adds Integration Services With New Center
| • |
| • |
| • |
| • |
| • |
| • |
| • |
|
|
