• On CBSNews.com: Can 365 Nights Of Sex Fix A Marriage?
advertisementBack up files automatically
January 11, 2008 11:39 AM PST

Another QuickTime RTSP flaw announced

Posted by Robert Vamosi
  • Print

There is a new exploit that affects how Apple QuickTime handles the Real Time Streaming Protocol (RTSP) and may allow an attacker to execute arbitrary code or cause a denial-of-service attack on a vulnerable system. The condition is similar yet different from a QuickTime RTSP flaw reported in December. This new vulnerability can occur on a fully patched QuickTime version 7.3.1, running on Windows and possibly Mac OS X.

Discovered by Luigi Auriemma, details can be found here, and here. Auriemma provides an exploit example on his site and writes: "For exploiting this vulnerability is only needed that an user follows a rtsp:// link, if the port 554 of the server is closed QuickTime will automatically change the transport and will try the HTTP protocol on port 80, the 404 error message of the server (other error numbers are valid too) will be visualized in the LCD-like screen."

Apple has not said when a patch for this will become available.

Topics:

Security

Tags:

security,

Apple,

Quicktime,

RTSP,

buffer overflow,

Luigi Auriemma

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Add a Comment (Log in or register) 5 comments
Assume the protocol is flawed
by mjm01010101 January 11, 2008 12:44 PM PST
There has been a vuln found in quicktime every month ever since release. Assume the protocol and player are therefore flawed.
Reply to this comment
flawed assumption
by sjkx January 11, 2008 1:01 PM PST
Just because a protocol has security vulnerabilities doesn't imply
it's flawed, especially if it wasn't designed to be secure. Using your
"logic" many Internet protocols (including TCP and IP) are flawed.
View reply
RTSP is the industry accepted standard (even for MS!)
by Ilgaz January 11, 2008 1:57 PM PST
The "Protocol" isn't flawed, its implementation (one of many!) has
issue. If Apple acts late again, whole web will be full of "uninstall
quicktime" advices which will hurt many things such as
mpeg4/h264 standard adoption.
Apple said "Sometime in Early 2008"....
by fred dunn January 15, 2008 6:44 AM PST
What a real help. It appears they are more concerned with showing new products and Steve Job's ego than with security.
Reply to this comment
advertisement

In the news now

Apple's iPhone 2.2
hits the street

The latest software update offers several improvements to Google maps as well as wireless downloading for podcasts.



The big chill for holiday parties?

Tech companies faced with cost-cutting may not be canceling the annual festivities outright, but things are certainly being done differently this year.



About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET