The Month of Apple Bugs, a project that aims to post an Apple vulnerability per day during January, launched on New Year's Day with a remote code execution flaw in Apple's QuickTime media streaming software.
The vulnerability involves the way QuickTime handles URLs using the Real Time Streaming Protocol (RTSP), a standard for broadcasting multimedia content online. An attacker could enter a URL with a specially crafted text string to trigger a buffer overflow and open the door to malicious code execution, according to a Monday blog post by one of the co-organizers of the project, a security researcher who uses the handle L.M.H.
L.M.H. and his partner in the project, security researcher Kevin Finisterre, posted a working exploit for the flaw that has been tested on QuickTime Version 7.1.3. Previous versions "should be vulnerable as well," and the only potential workaround for the flaw would be to disable the RTSP URL handler, the researchers wrote.
Vendors that issue threat ratings were in agreement about the severity of the flaw. Secunia rated it "highly critical," or 4 on a 5-point scale. Symantec rated it 8.3 on a 10-point scale, and the French Security Incident Research Team (FrSIRT) rated it "critical," or 4 on a 4-point scale.
When asked about the QuickTime vulnerability, Apple spokesman Anuj Nayar said, "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
