New warnings have been issued recently by security researchers on an attack code aimed at what seems to be an unpatched bug in Apple Inc.'s QuickTime. In-the-wild attacks against systems running Windows XP and Vista are expected to follow. No precise statement about Mac OS X versions of the media player being liable to the same extent, was, however, made.
Both Symantec Corp. and the U.S. Computer Emergency Readiness Team emphasize that the danger lies in visiting malicious and fraudulent Web sites where this flaw (which comes with the player's handling of the Real Time Streaming Protocol -RTSP) becomes the target of the attackers due to expressly-crafted streaming content located within these sites. The flaw can also be exploited when opening a rigged QTL file attached to an e-mail message.
Symantec acknowledges Polish researcher Krystian Kloskowski as being the first to report the zero-day vulnerability on the milw0rm.com Web site Friday. Together with an anonymous researcher (InTeL), Kloskowski set about figuring out the problem – they came up with separate proof-of-concept models that performed on Windows XP SP2 and Windows Vista machines running QuickTime 7.2 or 7.3.
According to InTeL, Vista is more exposed to risk because QuickTimePlayer binary does not have Address Space Layout Randomization (ASLR) enabled. The latter represents a feature which designates at random data and application components, such as exe and dll files, to memory in order to make it much more difficult for the location of vital functions or vulnerable code to be traced.
Patrick Jungles, a Symantec researcher, reminded of previous QuickTime vulnerabilities and drew attention on the risk that some applications face due to their popularity.
QuickTime was last patched about three weeks ago, when Apple put out Version 7.3 to secure numerous critical image-rendering and Java-related vulnerabilities. A total of 31 flaws have been fixed this year alone through six QuickTime security-related updates.
