Apple Vulnerability Project Launches with QuickTime ExploitBy Ryan Naraine | Posted 2007-01-01 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
The first flaw in the Apple bug-a-day project is an easy-to-exploit QuickTime issue that puts millions of Mac and Windows users at risk of code execution attacks.
An easy-to-exploit security vulnerability in Apple Computer's QuickTime media player could put millions of Macintosh and Windows users at risk of code execution attacks.
The QuickTime flaw kicked off the Month of Apple Bugs project, which promises to expose unpatched Mac OS X and Apple application vulnerabilities on a daily basis throughout the month of January.
According to an advisory released Jan. 1, the flaw exists in the way QuickTime handles a specially rigged "rtsp://" URL.
He described exploitation of the issue as "trivial" and warned that stack NX can also be rendered useless.
LMH said the issue was successfully exploited in QuickTime Player Version 7.1.3. Previous versions are likely vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected.
The Cupertino, Calif.-based Apple markets QuickTime as a platform for the handling of video, sound, animation, graphics, text and music. The technologyand media playeris available for Windows and Mac users, making it a lucrative target for malware writers.
"The only potential workaround would be to disable the "rtsp://" URL handler, uninstalling QuickTime or simply live with the feeling of being a potential target," according to the advisory.