Yet another critical vulnerability in Quicktime 7.3
USCert has issued a warning concerning a buffer overflow in the current version of Apple QuickTime. Attackers can manipulate content type headers in an RTSP data stream to cause a buffer overflow that allows malicious code to be injected into the system under attack. Users of Apple's iTunes multimedia software are also affected by the hole because the current version of QuickTime is installed on systems when iTunes is installed.
Demo programs that reportedly demonstrate the vulnerability have already popped up in the milw0rm archive. Until Apple releases a patch for this vulnerability, the only workaround for the playback of RTSP streams is to use other software or to restrict the use of streaming data via the firewall. Users are also advised to be careful with QuickTime Link files (.qtl), which can also reference RTSP sources. Apple released version 7.3 only a few weeks ago.
(mba)