Apple QuickTime exploit published
The Apple QuickTime zero-day exploits are also targeting systems running Apple Safari 3.0 on Windows, Firefox, and Microsoft's Vista, XP, Internet Explorer 6, and IE7,
SANS also reminded people to undo the workarounds once Apple develops a patch for the security problem. Otherwise, the QuickTime streams won't work on your system.
Security researchers are warning that exploit code has been published that can take advantage of an extremely critical security flaw in a protocol supported by Apple QuickTime.
Apple QuickTime versions 7.2 and 7.3 on Microsoft Windows Vista and Windows XP Pro SP2 are both affected, according to an advisory originally posted on Milw0rm.com.
And because Apple's iTunes contains a component of QuickTime, installations of iTunes are also at risk, according to a security advisory by the United States Computer Emergency Readiness Team (US-CERT).
The security flaw is found in the Real Time Streaming Protocol (RTSP) supported by Apple's QuickTime Streaming Server and QuickTime player, US-CERT notes. As a result, users who load a malicious RTSP stream via a QuickTime Media Link file or by visiting a malicious Web page, may find their systems compromised. Malicious attackers, for example, could execute arbitrary code from users' systems or launch a denial-of-service attack.
Earlier this month, Apple released QuickTime 7.3 to address seven security flaws in QuickTime 7.2. The fixes, however, did not deal with the RTSP vulnerability cited by security researchers over the past three days.
US-CERT is recommending users consider several workarounds to potentially minimize exposure to the RTSP vulnerabilities. The workarounds include disabling QuickTime ActiveX controls on Internet Explorer, QuickTime plug-ins for Mozilla-based browsers, JavaScript, and file association for QuickTime files. Other suggestions include avoiding QuickTime files that come from untrusted sources.
Security firm Secunia has rated the vulnerability "extremely critical."
What did you expect? A flawless application like they tout on the commercials?
Yea.... Right....
You Apple Fans, welcome to the real world.
Until Apple learns to develop applications to minimize this like the way Microsoft has been doing for the past 1 1/2 expect more. And yes Microsoft has gotten alot better. Their beta releases are rock solid let alone their official releases.
"see Apple sucks too!" when this QuickTime exploit only affects
"Windows Vista and Windows XP Pro SP2" and not OSX.
What you conveniently ignore is the fact that Windows causes
the flaw . . . allows the exploit . . . It's the base programing of
Windows that allows this to happen . . . It's full of holes.
You guys scream that the ONLY reason there are no viruses or
exploits out there for OSX is that "the market share is too small
so why bother".
Here we have an exploit for a program (Quicktime) that runs on
both OS's but only affects Windows . . . Quicktime is a well
written program . . . Windows is flawed . . . that's why it's so
easy to attack.
Waaaa waaaa . . . let the Flames begin (^0^)/
What a great product.