Instructions for exploiting a previously undocumented security hole in Apple’s QuickTime media player software are now available online, and security firms are warning that it may not be long before we start seeing criminal groups taking advantage of the flaw to break into vulnerable computers.
According to an advisory from the US-CERT, the vulnerability stems from a weakness in the way QuickTime handles a type of media-streaming communications called the “real time streaming protocol” (RTSP). Attackers could exploit the flaw merely by convincing users to click on a poisoned link, open a malicious e-mail attachment, or visit a specially crafted Web page. US-CERT says the vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems.
Interestingly, researchers at Symantec say they tested the publicly available exploit code for this flaw and found that it failed to work properly against Internet Explorer 6/7 as well as Safari 3 Beta; in those tests, the exploit simply crashes QuickTime. But Symantec said the exploit worked perfectly against Firefox if users have chosen QuickTime as the default player for multimedia formats.
US-CERT says it is not aware of any practical solutions to the vulnerability at this time, but it does list a number of steps that may help mitigate the threat this flaw presents. However, unless you are comfortable editing the Windows registry (things can go horribly wrong here if you don’t know what you’re doing or how to recover from a hosed registry) there are a couple of other options.
The first, and most obvious, is to simply uninstall QuickTime. But this won’t work for people who use iTunes, as that program requires QuickTime to be installed in order to function correctly. Firefox users can and should avail themselves of the “noscript” add-on, which would help block an exploit like this from being launched via sneaky Javascript attacks, as most of these types of vulnerabilities tend to be.
In addition, QuickTime users can set the program so that neither the player nor the QuickTime plug-in for IE/Firefox will use QuickTime to open RTSP content. To do this, open QuickTime, select “Edit,” then “Preferences.” On the tab labeled “Browser,” click the “MIME Settings” tab at the bottom, and then on the “+” sign next to “Streaming,” and uncheck the box next to RTSP. Click “OK,” and then head over to the “File Types” tab and do the same (hat tip to BroadbandReports’ excellent Security Forum for these instructions).
New QuickTime Version Plugs 7 Security HolesQuickTime Flaw a Potential Threat to Second Life FansNew QuickTime Player Fixes 3 Security FlawsUS-CERT warns of flaw in latest RealPlayerQuickTime 7.3.1 Plugs RTSP Security Hole