Monday, November 26, 2007
QuickTime RTSP Content-Type header stack buffer overflow
If you have been keeping up with Mac OS X security over the last year, you'll know that the Apple software with the most vulnerabilities has been QuickTime. The security company Secunia have been harping at Apple to get all the holes patched, but the going has been slow. The problem became acutely evident in December 2006 when poor programing in the MySpace interface allowed exploitation of a scripting vulnerability in QuickTime that allowed MySpace sites infected with script malware to infect the MySpace page of visitors. Apple came out with a quick patch specific to MySpace but the overall cleanup of QuickTime's problems has been ongoing.
The new vulnerability, on both Mac and Windows, affects a streaming technology built into QuickTime called RTSP. Hackers are already exploiting the security hole. You can read the details at the US-CERT (United States Computer Emergency Readiness Team) website:
Keep in mind that these are the folks that have been so incredibly inept that the US federal government computer system has been vastly compromised by bots that have been sending secure computer data to China in that country's secretly declared technology war against the rest of the world. So if US-CERT believes this problem with QuickTime is important, it is useful to believe them.
According to US-CERT the impact of this problem is:
"By convincing a user to connect to a specially crafted RTSP stream, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. An attacker can use various types of web page content, including a QuickTime Media Link file, to cause a user to load an RTSP stream."
At this time there is no single solution to the problem. Check the US-Cert link above for some temporary measures that may help. At the very least, have your firewall ON. If you want to complete the firewall cycle, blocking outgoing calls to the Internet, download and try out LittleSnitch, $25 shareware. You can get it from the usual places such as MacUpdate.com or VersionTracker.com. I am going to read up a bit more on how this vulnerability is exploited to know whether LittleSnitch is any help in this case. If you are using LittleSnitch I would at the very least turn OFF the iTunes and QuickTime player settings to "Allow Any Connection" and "Allow TCP connections to port 554 (rtsp)". Instead you should approve of such connections temporarily one at a time.