Web pages infect PCs via Apple QuickTime vulnerability
The vulnerability in Apple's QuickTime media player reported last week is apparently already actively being exploited by the first web pages to infect visitors' Windows PCs with malware. Attackers can cause a buffer overflow and inject malicious code into vulnerable systems by sending crafted content type headers in RTSP datastreams. Users of Apple's iTunes multimedia software are also affected, as a current version of QuickTime is installed as part of the iTunes installation.
Although a proof of concept exploit was already available when the vulnerability was published, nobody had so far seen any pages which contained it. Now, a porn page monitored by Symantec loads the exploit through an IFrame and injects PCs with a downloader which subsequently retrieves and installs more malicious code. Apple has so far not released an update to resolve the problem.
Several measures can be taken as a workaround. In Internet Explorer it helps to set the kill bit for the QuickTime ActiveX control. Find instructions in the US-Cert's vulnerability notice. In Firefox, the plug-in can be deactivated simply by deleting it from the /Program Files/Mozilla Firefox/plugins path. Additional protective measures include deactivating JavaScript or restricting the use of the NoScript Firefox plug-in and disabling Apple QuickTime as a registered RTSP protocol handler. In addition, administrators can block the network's RTSP ports (TCP port 554 and UDP ports 6970-6999). The Internet Storm Center lists the IP addresses of several suspicious sites in its blog.
- Exploit for Apple QuickTime Vulnerability in the Wild, Symantec security advisory
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
