Month of Apple Bugs begins with critical Quicktime hole

In its retrospective on 2007, heise Security predicted that "holes in media player plug-ins and software" would play a crucial role this year. It is thus no surprise that the hacker operating under the pseudonym LMH has started off the Month of Apple Bugs exposing a flaw in Quicktime, including a zero day exploit. Special rtsp:// URLs typically used for Quicktime videos can cause a buffer overflow on the stack. Attackers can use them to execute arbitrary code. Such URLs can be embedded in web sites so that they are automatically opened when the site is visited and they can also be sent as emails.

According to LMH Mac and Windows versions of Quicktime 7.1.3 are affected and probably older versions are too. The Ruby script provided creates a Quicktime file that exploits the flaw to generate a New Year's greeting on Intel Macs via the Apple system's voice output. In a test at heise Security, the Quicktime player merely crashed due to a problem in the hard-coded addresses to call system functions; apparently, they were not correct on the test system. In a modified version of the exploit, however, it was possible to make the CPU jump to a predefined address by manipulating the instruction pointer, which suggests that the exploit would run on the test system after some minor adjustments.

Unfortunately, it's probable that the first web sites to exploit this hole to spread malcode will be appearing soon. Until an updated version of Quicktime is released, you can only protect yourself by disabling the programs and plug-ins registered for Quicktime formats. You can do this on Mac OS X in the "Preferences" of Quicktime, under "Advanced" in the "Mime Settings"; deactivate the checkbox next to "Streaming - Streaming Movies" there.

See also:

• MOAB-01-01-2007: Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow by LMH

(trk)