To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39164921,00.htm

Warning over "critical" QuickTime hole
The Month of the Apple Bugs kicks off...

By Joris Evers

Published: Wednesday 03 January 2007

A newly disclosed security vulnerability in Apple's QuickTime software could put both Macs and Windows PCs at risk of cyber attacks, experts have warned.

The publication on Monday of the vulnerability and detailed attack code kicks off the "Month of the Apple Bugs" project, which promises to feature a new Apple software bug each day in January.

The QuickTime vulnerability relates to how the media player software handles the Real Time Streaming Protocol, or RTSP, according to an advisory published on the Month of the Apple Bugs website. An attacker could create a special RTSP string in a rigged QuickTime file that would cause a buffer overflow, according to the advisory.

LMH, the alias of one of the two security researchers behind the Month of the Apple Bugs, said: "The risk is having your system compromised by a remote attacker, who can perform any operation under privileges of your user account. It can be triggered via JavaScript, Flash, common links, QTL files and any other method that starts QuickTime."

The vulnerability affects QuickTime 7.1.3, the latest version of the media player software released in September, on both Apple Mac OS X and Microsoft Windows, according to the Month of the Apple Bugs advisory. Previous versions could also be vulnerable, it said.

Security-monitoring companies Secunia and the French Security Incidence Response Team, or FrSirt, rate the QuickTime flaw as "highly critical" and "critical", respectively.

In response to the publication of the QuickTime flaw, an Apple spokesman said the company always welcomes feedback on how to improve security on the Mac, a standard company statement. The spokesman did not comment on the specifics of the flaw or provide any indication of when Apple may deliver a patch.

QuickTime users can protect themselves against the vulnerability by disabling support for RTSP. The Sans Internet Storm Center, which tracks internet threats, provides instructions on how to do this for both Windows PCs and Macs.

The Month of the Apple Bugs is meant to uncover security flaws in different Apple software and other applications for Mac OS X, according to the project website. LMH said: "We can expect certainly many more critical issues being released during the month."

LMH and Kevin Finisterre, an independent security researcher, wrote on the Month of the Apple Bugs website: "A positive side effect, probably, will be a more concerned user base and better practices from the management side of Apple."

On Tuesday, LMH and Finisterre published the second bug as part of their project. This time the flaw is not in Apple code but in the VLC Media Player, an open source program available for Mac OS X and Windows. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution, LMH and Finisterre wrote in an alert.

In November, LMH started the "Month of Kernel Bugs" project, which also included some Apple software bugs. That initiative was inspired by the "Month of Browser Bugs" in July.

Joris Evers writes for CNET News.com