An Italian researcher has identified a flaw in Apple
media application that can allow an attacker to perform a DoS
attack or take control of an affected PC.
The issue is caused by a buffer overflow
error when processing RTSP response messages and displaying the “Reason-Phrase.” Researcher Luigi Auriemma, the flaw's discoverer, confirmed to SCMagazineUS.com today that it can be exploited for remote code execution
The flaw affects QuickTime on Windows operating systems, but not Mac, according to Auriemma. No patch is available for the flaw. Secunia
, a Cophenhagen-based vulnerability monitoring organization, noted
that successful exploitation can take place when a user opens a specially crafted QTL file or visits a malicious website. The flaw, ranked “highly critical,” meaning that it is a zero-day
flaw but no exploit has been reported in the wild, exists in QuickTime version 126.96.36.199. FrSIRT
, the French Security Incident Response Team, today ranked
the flaw “critical,” meaning that it can be exploited from a remote location. US-CERT
also warned end-users about the flaw on Thursday, providing
a number of workarounds and advising users to avoid links including URL encoding, IP address variations, long URLs and intentional misspellings.
Amol Sarwate, director of Qualys
' vulnerability research lab, told SCMagazineUS.com today that an attack exploiting this flaw would target end-users who are not considered computer-savvy.
“I think a lot of it has to do with the popularity of QuickTime. When Internet Explorer was the browser king, many of the [disclosed] vulnerabilities were in Internet Explorer,” he said. “And it is operating system independent – you have QuickTime plug-ins for Windows and Mac – that's the reason it's being targeted.”