Month Of Apple Bugs Starts With QuickTime Exploit

The vulnerability involves the way QuickTime handles URLs using the Real Time Streaming Protocol (RTSP), a standard for broadcasting multimedia content online. An attacker could enter a URL with a specially crafted text string to trigger a buffer overflow and open the door to malicious code execution, according to a Monday blog post by one of the co-organizers of the project, a security researcher who uses the handle L.M.H.

L.M.H. and his partner in the project, security researcher Kevin Finisterre, posted a working exploit for the flaw that has been tested on QuickTime Version 7.1.3. Previous versions "should be vulnerable as well," and the only potential workaround for the flaw would be to disable the RTSP URL handler, the researchers wrote.

Vendors that issue threat ratings were in agreement about the severity of the flaw. Secunia rated it "highly critical," or 4 on a 5-point scale. Symantec rated it 8.3 on a 10-point scale, and the French Security Incident Research Team (FrSIRT) rated it "critical," or 4 on a 4-point scale.

When asked about the QuickTime vulnerability, Apple spokesman Anuj Nayar said, "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."