January 2, 2007 11:50 AM PST
QuickTime zero-day bug threatens Macs, PCs
- Related Stories
Attack code out for new Apple Wi-Fi flawNovember 1, 2006
Apple patches QuickTime for Macs, WindowsSeptember 12, 2006
Security expert dubs July the 'month of browser bugs'July 5, 2006
The publication on Monday of the vulnerability and detailed attack code kicks off the " Month of the Apple Bugs" project, which promises to feature a new Apple software bug each day in January.
The QuickTime vulnerability relates to how the media player software handles the Real Time Streaming Protocol, or RTSP, according to an advisory published on the Month of the Apple Bugs Web site. An attacker could create a special RTSP string in a rigged QuickTime file that would cause a buffer overflow, according to the advisory.
The vulnerability affects QuickTime 7.1.3, the latest version of the media player software released in September, on both Apple Mac OS X and Microsoft Windows, according to the Month of the Apple Bugs advisory. Previous versions could also be vulnerable, according to the advisory.
In response to the publication of the QuickTime flaw, Apple spokesman Anuj Nayar said the company always welcomes feedback on how to improve security on the Mac, a standard company statement. Nayar did not comment on the specifics of the flaw or provide any indication of when Apple may deliver a patch.
QuickTime users can protect themselves against the vulnerability by disabling support for RTSP. The SANS Internet Storm Center, which tracks Internet threats, provides instructions on how to do this for both Windows PCs and Macs.
The Month of the Apple Bugs is meant to uncover security flaws in different Apple software and other applications for Mac OS X, according to the project Web site. "We can expect certainly many more critical issues being released during the month," LMH said.
"A positive side effect, probably, will be a more concerned user base and better practices from the management side of Apple," LMH and Kevin Finisterre, an independent security researcher, wrote on the Month of the Apple Bugs Web site.
On Tuesday, LMH and Finisterre published the second bug as part of their project. This time the flaw is not in Apple code but in the VLC Media Player, an open-source program available for Mac OS X and Windows. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution, LMH and Finisterre wrote in an alert.