Apple QuickTime Player Error Targeted By Exploit
vulnerability exploit multimedia
So far, there is no reported patch for the vulnerability, known as a buffer overflow error, which affects versions 7.3.1.70 and lower running on both Windows and Mac operating systems.
The error can be found in the way that QuickTime handles Real Time Streaming Protocol Response message headers, which occur during the filling of the LCD-like screen containing information about connection status.
A remote attacker could potentially exploit the vulnerability by persuading a user to access a specially crafted QuickTime file, or RTSP stream, connect to a malicious server or visit a specially crafted Web page, in order to execute arbitrary code that could take complete control or cause a DoS attack on an affected system.
The U.S. Computer Emergency Readiness Team posted an alert on its site Thursday, warning users about the potential threat. The flaw was also given a "critical" ranking by the French Security Incident Response Team, meaning that the vulnerability could be exploited remotely. So far, there are no reports that the exploit is active and "loose in the wild."
However, this error is not new to QuickTime Player and experts say it could be a matter of time before an active exploit is created. The vulnerability, which was first detected Dec. 13, 2007, was recently made public by Italian security researcher Luigi Auriemma.
Some security experts remain skeptical about proof of concept exploits, maintaining that they often give criminals a ready-made map for an actual, "in the wild" attack.
"This is a questionable practice," said David Perry, global director of education at Trend Micro. "Frequently the code that was found in the proof of concept shows up in a criminal attack."
"It's like firing the starting gun for the criminals," Perry added.
Perry said that Apple QuickTime Player will likely become an even bigger target for attackers because of its global popularity and potential to affect millions of users.
The flaw is the latest in a series of bugs that QuickTime has had to address. Polish researcher Krystian Kloskowski detected another QuickTime stack-based buffer overflow error November 2007, which affected version 7.3. Attackers shortly thereafter targeted the flaw with an active, "in-the-wild" exploit.