• On CBS MoneyWatch: 4 Things You SHOULDN'T Buy at Target
advertisement
January 11, 2008 11:39 AM PST

Another QuickTime RTSP flaw announced

by Robert Vamosi

There is a new exploit that affects how Apple QuickTime handles the Real Time Streaming Protocol (RTSP) and may allow an attacker to execute arbitrary code or cause a denial-of-service attack on a vulnerable system. The condition is similar yet different from a QuickTime RTSP flaw reported in December. This new vulnerability can occur on a fully patched QuickTime version 7.3.1, running on Windows and possibly Mac OS X.

Discovered by Luigi Auriemma, details can be found here, and here. Auriemma provides an exploit example on his site and writes: "For exploiting this vulnerability is only needed that an user follows a rtsp:// link, if the port 554 of the server is closed QuickTime will automatically change the transport and will try the HTTP protocol on port 80, the 404 error message of the server (other error numbers are valid too) will be visualized in the LCD-like screen."

Apple has not said when a patch for this will become available.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security

Tags:

security,

Apple,

Quicktime,

RTSP,

buffer overflow,

Luigi Auriemma

Share:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
MacFixIt Answers
Critical Adobe Reader hole to be patched Thursday
Adobe to fix Reader hole unveiled at Black Hat
Microsoft warns about application security flaw
Apple Releases Security update 2010-005 for OS X 10.5 and 10.6
Hands-on preview: Canon 60D delivers major changes over 50D
Microsoft to issue record number of patches
Record Patch Tuesday yields critical Windows, IE fixes
Add a Comment (Log in or register) (5 Comments)
  • prev
  • next
Assume the protocol is flawed
by mjm01010101 January 11, 2008 12:44 PM PST
There has been a vuln found in quicktime every month ever since release. Assume the protocol and player are therefore flawed.
Reply to this comment
flawed assumption
by sjkx January 11, 2008 1:01 PM PST
Just because a protocol has security vulnerabilities doesn't imply
it's flawed, especially if it wasn't designed to be secure. Using your
"logic" many Internet protocols (including TCP and IP) are flawed.
View reply
RTSP is the industry accepted standard (even for MS!)
by Ilgaz January 11, 2008 1:57 PM PST
The "Protocol" isn't flawed, its implementation (one of many!) has
issue. If Apple acts late again, whole web will be full of "uninstall
quicktime" advices which will hurt many things such as
mpeg4/h264 standard adoption.
Apple said "Sometime in Early 2008"....
by fred dunn January 15, 2008 6:44 AM PST
What a real help. It appears they are more concerned with showing new products and Steve Job's ego than with security.
Reply to this comment
(5 Comments)
  • prev
  • next
advertisement
CNET River

  • jetscott: Hey Jets haters, shelve those fantasies: Revis is coming back.

  • caro: Just spotted Fish and Chips @ Liberal Cup on @Foodspotting http://bit.ly/b6qzu7

  • raygun01: Arrive home and power up my Mac Pro to find it spontaneously rebooting. Sometimes after a full OS bootup, others repeatedly at Apple logo.

  • caro: BURGERS!!!! RT @EmilyGannett Finished with @caro's boot camp - 6m run followed by a 7.6m hike. Now, what's for dinner?!?

  • jetscott: iPhone 4 browsing gets crazy at such high resolutions. My thumb needs tiny fingers.

  • jetscott: Migraine has destroyed my afternoon. Living in a dark room, trying to make peace with the pain.

  • stshank: Rebates for a few days on seven Tamron lenses: http://bit.ly/bnzmu1

  • mollywood: Q: are no-contract phone prices even remotely based in reality? I mean, does a Droid 2 really cost more to make than an iPad? Rant brewing.

  • caro: Rainbow visible from summit (4170 ft) (@ Old Speck Mountain) http://4sq.com/cvyqU9

  • antgoo: Jeez, any time you save by driving in this city is immediately lost looking for parking... And then some!

  • Former HP CEO Mark Hurd heading to Oracle?
  • World's best sounding 3D Blu-ray

  • jetscott: Talking Apple TV on WGN Chicago radio in just a few minutes.

  • raygun01: Lucy is cutting four teeth at once... and we are flying cross country all day. If ever we needed a miracle, now would be the time.

  • Aboard an Alcatel-Lucent undersea cable ship (photos)

  • stshank: Ha! RT @diveintomark: PING: YOUR FRIEND HAS BEEN REJECTED BECAUSE SHE DUPLICATES THE FUNCTIONALITY OF AN EXISTING FRIEND.

  • stshank: What happened to fast user switching from Windows XP to Windows 7? It takes *forever* now. It had been a real advantage over Mac OS X.

  • stshank: .@jnack If you want to blow off steam about the garbage that is Star Wars prequels, I recommend RedLetterMedia: http://bit.ly/cquHAx

  • danackerman: Saturday's conversation about new Android tablets, including the Samsung Galaxy Tab, on MSNBC: http://t.co/b383pO3

  • caro: I made it! RT @ohhleary: Last course of dinner: Icebox Chocolate Cake with Bar Harbor Cadillac Mountain Stout http://plixi.com/p/43341618

  • loricnet: Or at least raw+JPG RT @Photocritic: Friends don't let friends shoot JPG. pick up your camera right now, switch it to RAW, never change it.

  • jetscott: Take a look at the Patriots' final roster, then tell me how exactly they're supposed to win the AFC East.

  • danackerman: At the Film Forum, about to see The Tinger, presented in original "Percepto" format http://yfrog.com/4blmscj

  • Kindle vs. Nook vs. iPad: Which e-book reader should you buy?

  • caro: Time for an authentic @ohhleary local beer tasting http://twitpic.com/2lbp82

Chrome reshapes the browser market

The influence that Google's browser has had on the market is broader than its actual use. On Chrome's second anniversary, Google releases the sixth stable version.

Apple rolls out new iPods, social iTunes

A new version of Apple TV is also coming soon, as Apple follows its usual September playbook in refreshing its iPod lineup and the iTunes software.
• Roundup: New iPods, iTunes, TV?

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
Click Here

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
Video
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET API
About CNET