Apple QuickTime exploit published

Update at 5:45 a.m. November 27:

The Apple QuickTime zero-day exploits are also targeting systems running Apple Safari 3.0 on Windows, Firefox, and Microsoft's Vista, XP, Internet Explorer 6, and IE7, according to a posting late Monday night on the SANS Internet Storm Center blog.

SANS also reminded people to undo the workarounds once Apple develops a patch for the security problem. Otherwise, the QuickTime streams won't work on your system.

Security researchers are warning that exploit code has been published that can take advantage of an extremely critical security flaw in a protocol supported by Apple QuickTime.

Apple QuickTime versions 7.2 and 7.3 on Microsoft Windows Vista and Windows XP Pro SP2 are both affected, according to an advisory originally posted on Milw0rm.com.

And because Apple's iTunes contains a component of QuickTime, installations of iTunes are also at risk, according to a security advisory by the United States Computer Emergency Readiness Team (US-CERT).

The security flaw is found in the Real Time Streaming Protocol (RTSP) supported by Apple's QuickTime Streaming Server and QuickTime player, US-CERT notes. As a result, users who load a malicious RTSP stream via a QuickTime Media Link file or by visiting a malicious Web page, may find their systems compromised. Malicious attackers, for example, could execute arbitrary code from users' systems or launch a denial-of-service attack.

Earlier this month, Apple released QuickTime 7.3 to address seven security flaws in QuickTime 7.2. The fixes, however, did not deal with the RTSP vulnerability cited by security researchers over the past three days.

US-CERT is recommending users consider several workarounds to potentially minimize exposure to the RTSP vulnerabilities. The workarounds include disabling QuickTime ActiveX controls on Internet Explorer, QuickTime plug-ins for Mozilla-based browsers, JavaScript, and file association for QuickTime files. Other suggestions include avoiding QuickTime files that come from untrusted sources.

Security firm Secunia has rated the vulnerability "extremely critical."

[irperez]

Another Apple Bug

Another Apple Bug...

What did you expect? A flawless application like they tout on the commercials?

Yea.... Right....

You Apple Fans, welcome to the real world.

Until Apple learns to develop applications to minimize this like the way Microsoft has been doing for the past 1 1/2 expect more. And yes Microsoft has gotten alot better. Their beta releases are rock solid let alone their official releases.

[ittesi259]

Apple bug....really?

You tout how great MS releases are, but fail to acknowledge that only Windows Users seem to be affected.....the bug may be in quicktime, but why isn't OS X installations listed as vulnerable?

[jelloburn]

How about...

we don't turn this into a Mac vs. Windows argument...

What I'm wondering is whether this only affects Quicktime users
or if it affects all users that use RTSP?

As quoted in the article: "Security researchers are warning that
exploit code has been published that can take advantage of an
extremely critical security flaw in a protocol supported by Apple
QuickTime."

It says the flaw is in the protocol, which makes me wonder if
other players can suffer from this same flaw. If so, it seems
crappy that Apple is getting the bad wrap for this issue.

[Travis Ernst]

Monthly CRITICAL MS updates

TSIA.

Apple does not have frequent critical level updates simply due to
the fact they don't have swiss cheese holes in their programs.
Don't go yelling at Apple for one small issue when Microsoft is
in need of updating every month to fix all their holes saying the
updates are critical level.

Compare the two OS's and how often updates are "needed" for
security and performance of the ware.

[K.P.C.]

I'll tell you who's funny . . .

It's the 6 out of 7 commentors (so far) above who are screaming
"see Apple sucks too!" when this QuickTime exploit only affects
"Windows Vista and Windows XP Pro SP2" and not OSX.

What you conveniently ignore is the fact that Windows causes
the flaw . . . allows the exploit . . . It's the base programing of
Windows that allows this to happen . . . It's full of holes.

You guys scream that the ONLY reason there are no viruses or
exploits out there for OSX is that "the market share is too small
so why bother".

Here we have an exploit for a program (Quicktime) that runs on
both OS's but only affects Windows . . . Quicktime is a well
written program . . . Windows is flawed . . . that's why it's so
easy to attack.

Waaaa waaaa . . . let the Flames begin (^0^)/

[brianfellow]

Affects OSX --- Re: I'll tell you who's funny

Why don't you read the bulletin before you start blasting Windows. It DOES affect OSX. It is a quicktime flaw.

[Rick Cavaretti]

Cool!

I can't wait...mudslinging and entertainment for the day!

[Lenter101]

Another Apple patch

Here's a quote from the New York Times - November 15, 2007 - concerning Apple patches, "Apple has patched over 150 vulnerabilities in the eight security updates it has issued so far during 2007."

What a great product.

[barriospaz]

About machines and exploits...

Seems to be like people forgets we are talking about machines (made by humans) and software (also made by humans). I own a post-production company, so we use computer in a very professional and intensive way (Macs, Pc's and Linux) and in the past year I personally downloaded more than 600 MB of updates for every single Apple computer we have. From that amount, more than 300 MB of data were security updates to cover flaws in code written by Apple. It's incredible stupid to think that every single line of code running in OSX is perfect and secure. Even a novice in our IT department knows how to break security in any machine ( PC's Macs or Linux )... it's just a matter of time. Just stop that Windows vs OSX war. Both pieces of software are made by humans, plagued with errors, and are insecure.