Apple QuickTime Player Vulnerability Could Lead to Exploits
"If I went to a Website hosting an exploit for this, it would be able to do anything the administrator could do on the computer," said Marc Fossi, Symantec security response manager "It would have full access to the entire operating system."
The vulnerability in Apple's QuickTime Player was caused by a buffer overflow error first disclosed to the public Nov. 23 by Polish security researcher Krystian Kloskowski. Since then, experts have discovered an exploit which could allow attackers to take complete control of an affected system.
"We had it happen in the past where popular trusted sites have been exploited to plant exploits like this. If successful, the attack will give full access to the system with all rights the user has who clicked on the exploit link," said Johannes Ullrich, SANS Institute researcher, via e-mail. "All Windows systems with QuickTime players installed are vulnerable. QuickTime is not a default component of Windows, but it is a popular add-on."
A Symantec blog today stated that the exploit is "active and in the wild" -- meaning that Web surfers are in danger of being attacked. Symantec researchers believe that multiple attacks may exist.
The attack begins with the popular IFRAME. The IFRAME code causes the browser to make an additional request to another hyperlinked URL that has a QuickTime streaming object embedded in it. The object initiates the RTSP connection to the malicious server and the unsuspecting user is then redirected to the malicious site serving the exploit. Exploit code is then sent.
"Now, once this is discovered, you start a race between a developer and the bad guys," said David Perry, Trend Micro global director of education.
Experts also say that the vulnerability could also result in another scenario, in which the user receives a malicious e-mail with an attachment containing a file associated by default to QuickTime Player. Users would click on a link to a supposed media file, which would really be a buffer overflow feed that forces the player to open an RTSP connection to a malicious server hosting the exploit. The attack would require users to double-click on the QuickTime attachment in order to run.
Not everyone will be susceptible to attacks. Experts estimate that Mac users might be more protected. "We will see who gets the end result of this," said Perry. "Macs force you to take the upgrade right now and you take the upgrade. I would suspect this won't make much difference on the Mac."
The president of one solution provider said he was not worried and that he expected the vulnerability to be fixed soon. "Hopefully by now, all Mac and PC users know not to trust any attachment or URL sent from an un-trusted source as both platforms are vulnerable to user-initiated attacks," said John Eaton, president of San Francisco-based Eaton and Associates, specializing in IT solutions and consulting services. "If this was a vulnerability that could be exploited without user interaction, then it would likely be much worse. I don't expect this to be a big problem. A fix is very likely in the next 24 to 48 hours and the interim fix is not overly complicated."
Firefox users with QuickTime as the default player for multimedia formats are also more vulnerable to this attack because Firefox issues the request directly to the QuickTime. However, while Mozilla Firefox users could be significantly impacted, not all browsers will be affected.
"Internet Explorer acts as a broker between the Website and QuickTime, more like a plug-in," said Fossi. "With Firefox, when it sees a QuickTime request, instead of handling the request itself, it hands the request off to QuickTime. A vulnerable version of QuickTime would be exploited through that browser."
The QuickTime vulnerability is still at Zero-Day -- that is to say, engineers have yet to find a fix for the problem. The company confirmed that it was currently looking into the error. "Apple takes security very seriously and has a great track record of addressing vulnerabilities before they affect users," an Apple spokesperson said.
Until a patch is installed, security personnel advise users to run Web browsers at the highest security settings possible, disable Apple QuickTime as a registered RTSP handler and filter outgoing activity over common RTSP ports.
And as always, users should be wary of clicking on links to untrusted or unknown Web sites, experts say.
"It's serious enough so that people do want to be careful. It's not like every Website you go to is going to have this thing. You actually have to go to a Website to be exploited," said Fossi. "It's all about exercising a bit of caution and taking other necessary precautions."