The issue is caused by a buffer overflow error when processing RTSP response messages and displaying the “Reason-Phrase.” Researcher Luigi Auriemma, the flaw's discoverer, confirmed to SCMagazineUS.com today that it can be exploited for remote code execution.
The flaw affects QuickTime on Windows operating systems, but not Mac, according to Auriemma. No patch is available for the flaw.
Secunia, a Cophenhagen-based vulnerability monitoring organization, noted that successful exploitation can take place when a user opens a specially crafted QTL file or visits a malicious website. The flaw, ranked “highly critical,” meaning that it is a zero-day flaw but no exploit has been reported in the wild, exists in QuickTime version 18.104.22.168.
FrSIRT, the French Security Incident Response Team, today ranked the flaw “critical,” meaning that it can be exploited from a remote location.
US-CERT also warned end-users about the flaw on Thursday, providing a number of workarounds and advising users to avoid links including URL encoding, IP address variations, long URLs and intentional misspellings.
Amol Sarwate, director of Qualys' vulnerability research lab, told SCMagazineUS.com today that an attack exploiting this flaw would target end-users who are not considered computer-savvy.
“I think a lot of it has to do with the popularity of QuickTime. When Internet Explorer was the browser king, many of the [disclosed] vulnerabilities were in Internet Explorer,” he said. “And it is operating system independent – you have QuickTime plug-ins for Windows and Mac – that's the reason it's being targeted.”