Network News

X My Profile
View More Activity

Exploit Released for Unpatched QuickTime Flaw

Instructions for exploiting a previously undocumented security hole in Apple's QuickTime media player software are now available online, and security firms are warning that it may not be long before we start seeing criminal groups taking advantage of the flaw to break into vulnerable computers.

According to an advisory from the US-CERT, the vulnerability stems from a weakness in the way QuickTime handles a type of media-streaming communications called the "real time streaming protocol" (RTSP). Attackers could exploit the flaw merely by convincing users to click on a poisoned link, open a malicious e-mail attachment, or visit a specially crafted Web page. US-CERT says the vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems.

Interestingly, researchers at Symantec say they tested the publicly available exploit code for this flaw and found that it failed to work properly against Internet Explorer 6/7 as well as Safari 3 Beta; in those tests, the exploit simply crashes QuickTime. But Symantec said the exploit worked perfectly against Firefox if users have chosen QuickTime as the default player for multimedia formats.

US-CERT says it is not aware of any practical solutions to the vulnerability at this time, but it does list a number of steps that may help mitigate the threat this flaw presents. However, unless you are comfortable editing the Windows registry (things can go horribly wrong here if you don't know what you're doing or how to recover from a hosed registry) there are a couple of other options.

The first, and most obvious, is to simply uninstall QuickTime. But this won't work for people who use iTunes, as that program requires QuickTime to be installed in order to function correctly. Firefox users can and should avail themselves of the "noscript" add-on, which would help block an exploit like this from being launched via sneaky Javascript attacks, as most of these types of vulnerabilities tend to be.

In addition, QuickTime users can set the program so that neither the player nor the QuickTime plug-in for IE/Firefox will use QuickTime to open RTSP content. To do this, open QuickTime, select "Edit," then "Preferences." On the tab labeled "Browser," click the "MIME Settings" tab at the bottom, and then on the "+" sign next to "Streaming," and uncheck the box next to RTSP. Click "OK," and then head over to the "File Types" tab and do the same (hat tip to BroadbandReports' excellent Security Forum for these instructions).

By Brian Krebs  |  November 27, 2007; 10:52 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: MPAA University 'Toolkit' Raises Privacy Concerns
Next: Feds Put More Botmasters, Phishers Behind Bars


Yes, it's interesting that the different browsers are handling this differently. According to ITWire:

"Internet Explorer and Safari use a plug-in to handle QuickTime items, and the exploit triggers their overflow protection mechanisms."

Not so for Firefox:

"'Firefox users are more susceptible to this attack because Firefox farms off the request directly to the QuickTime Player as a separate process outside of its control,' says Florio."

BTW, on the Mac, the same setting seems to be living under:

System Preferences > QuickTime > Advanced > MIME Settings... > Streaming-Streaming movies

So far in 2007, Apple has issued six QuickTime security-related updates that have fixed a total of 31 flaws. There have also been problems with Windows Media Player and RealPlayer.

I wonder how many exploits we'll see against media players next year. It makes a change from browsers ... speaking of which anyone who's not yet updated Firefox might want to do so, since a new version patching the following issues was out just yesterday:

The online world is rather like the wild west, isn't it?

Posted by: Mike | November 27, 2007 11:23 AM | Report abuse

Could you post the workaround for Vista? Following your steps, after clicking on either "File Types" or "MIME Settings" in the Quicktime Preferences Browser tab, you are taken to the same place: the Vista "Set Program Associations" box. I see nothing mentioning "streaming" or "RTSP" from that box.

Posted by: cs19 | November 27, 2007 11:31 AM | Report abuse

Apple's sabotage of Vista and all computing in general marches on!
Do not install this flawed software on your system, use media player!

Posted by: Steve Ballmer | November 27, 2007 11:33 PM | Report abuse

The workaround for Vista is to install one of the Linux or Unix variants.

Of course, the side effects could include spending less on software, faster computer, and more geek points with your friends/neighbors/boss/boss's pets.

Posted by: Anonymous | November 28, 2007 9:43 AM | Report abuse

I have been saying this to people for years that QuickTime is a flawed program. It is not even installed on any of my or clients machines. If you need to use anything Mediaplayer or a separate addon program will work just as well.

Posted by: mike | November 28, 2007 2:10 PM | Report abuse

I totally agree that Quicktime is flawed. But I think people should think twice before saying it is sabotage or anything similar.

Posted by: Anonymous | November 28, 2007 8:21 PM | Report abuse

You can also uninstall the QT plugin for your browsers, not the whole program. Then you can save files and play from your computer.
For Firefox:
and you also have to disable plugin scanning:

Posted by: josef | November 29, 2007 5:18 PM | Report abuse

If you think about it. It appears Apple is able to make more computers vulnerable than Microsoft. And if Apple can't code a simple media player with competence then can we expect the same in Mac OS X? I bet a nickel OS X has more vulnerabilities than Windows!

Posted by: Anonymous Coward | November 30, 2007 12:53 PM | Report abuse

Apparently this one is not an OS X vulnerability, since this exploit only works on the Windows version of Quick Time. And one of the key components involved is ActiveX, naturally.

Posted by: bp | December 1, 2007 1:50 AM | Report abuse

Mike [possibly]

Speaking of Firefox, even the most recent of the 2 updates this last week does still not allow me to post lengthy comments on the WaPo electronic edition.


Even though 5,000 characters are allowed, after about 3,000 when I click 'post' the post either does not occur or is declined. To achieve the post, I have to click edit, then copy -- close Firefox and open up another browser, find the story, click on comments and then do the post using the other browser [also Mozilla] and there is never a problem then.

Is this a WaPo compatibility issue, which I doubt ??? or a Firefox quirk ??? It is a CONSISTENT quirk at least.

Posted by: | December 2, 2007 2:57 AM | Report abuse

"Apparently this one is not an OS X vulnerability, since this exploit only works on the Windows version of Quick Time. And one of the key components involved is ActiveX, naturally."

This is not true. It also affects Mac OS X.

Posted by: Anonymous Coward | December 2, 2007 10:32 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company