• On ZDNet: Why not take the Linux plunge?
advertisementGet Smart about Business Spending
January 11, 2008 11:39 AM PST

Another QuickTime RTSP flaw announced

by Robert Vamosi
  • Font size
  • Print
  • 5 comments

There is a new exploit that affects how Apple QuickTime handles the Real Time Streaming Protocol (RTSP) and may allow an attacker to execute arbitrary code or cause a denial-of-service attack on a vulnerable system. The condition is similar yet different from a QuickTime RTSP flaw reported in December. This new vulnerability can occur on a fully patched QuickTime version 7.3.1, running on Windows and possibly Mac OS X.

Discovered by Luigi Auriemma, details can be found here, and here. Auriemma provides an exploit example on his site and writes: "For exploiting this vulnerability is only needed that an user follows a rtsp:// link, if the port 554 of the server is closed QuickTime will automatically change the transport and will try the HTTP protocol on port 80, the 404 error message of the server (other error numbers are valid too) will be visualized in the LCD-like screen."

Apple has not said when a patch for this will become available.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security

Tags:

security,

Apple,

Quicktime,

RTSP,

buffer overflow,

Luigi Auriemma

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
Critical Windows 7 holes fixed in record Patch Tuesday
Apple plugs holes for domain spoofing, other attacks
Performance showdown: Windows 7 vs. Snow Leopard
Wrapping up Speeds and Feeds, part 2: Reliability
Firefox's crossroads: Cutting-edge or mainstream?
Finding the catch in 'free' software
Free alternatives to Adobe Reader
Time Warner home routers still open to attack, blogger says
Add a Comment (Log in or register) (5 Comments)
  • prev
  • 1
  • next
Assume the protocol is flawed
by mjm01010101 January 11, 2008 12:44 PM PST
There has been a vuln found in quicktime every month ever since release. Assume the protocol and player are therefore flawed.
Reply to this comment
flawed assumption
by sjkx January 11, 2008 1:01 PM PST
Just because a protocol has security vulnerabilities doesn't imply
it's flawed, especially if it wasn't designed to be secure. Using your
"logic" many Internet protocols (including TCP and IP) are flawed.
View reply
RTSP is the industry accepted standard (even for MS!)
by Ilgaz January 11, 2008 1:57 PM PST
The "Protocol" isn't flawed, its implementation (one of many!) has
issue. If Apple acts late again, whole web will be full of "uninstall
quicktime" advices which will hurt many things such as
mpeg4/h264 standard adoption.
Apple said "Sometime in Early 2008"....
by fred dunn January 15, 2008 6:44 AM PST
What a real help. It appears they are more concerned with showing new products and Steve Job's ego than with security.
Reply to this comment
(5 Comments)
  • prev
  • 1
  • next
advertisement
Click Here

As alternative energy grows, NIMBY greens

With more renewable energy projects trying to come online, the country grapples with the balance between local land use and a national push for clean energy.

Google to remake programming with Go

A Unix co-creator is among those behind a language Google hopes will speed computers and programming. Today, Go becomes open-source software.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET