Quicktime Zero Day Exploit News And Updates

[Saint_Michael 3]

On monday it was reported that Quicktime 7.2 and 7.3 versions come with a new exploit in which malware could on to a person's computer through streaming videos. They only mention that XP and Vista are the only affect systems and no word came about on the Mac operating system. They mention that a buffer overflow bug was made in which it "contains a stack buffer overflow vulnerability in the way Quicktime handles the RTSP Content-Type header." For those who don't know what RTSP is, RTSP is the Real-Time Streaming Protocol which apple uses for its QuickTime software to complicate the problem even further they mention that since ITunes uses Quicktime for its music it could be "widespread", and so the solution they gave until a patch was found was to block RTSP, disable the QuickTime ActiveX component for Internet Explorer and QuickTime plug-in for Mozilla, and disabling JavaScript.

So not to get to far a head of myself, in Thursday's article they mention that for this to work a person would have to download a file with common extensions such as .mov or .3gp. They also mention in the current update that in fact the malicious files is actually a XML "will force the player to open an RTSP connection on port 554 to the malicious server hosting the exploit." On top of that this exploit can be enable through browsers as well by clicking on a url that is connected the malicious server and when tested against the common browsers Ie 6/7 and Safari 3 have prevented the attack; unfortunately firefox users cannot prevent this attack because of the QuickTime plug-in and thats if users have Quicktime as their default player.

Symantec mentions that its antivirus software will detect the exploit as Trojan called Quimkids, and so make sure for those who use Norton Antivirus to update your software and scan to see if your computer has this trojan installed. Right now no patch has been made at this time but I would suspect that there should be one by Tuesday the latest. So they still recommend that you "prohibit the RSTP protocol on your networks; disabling QuickTime browser objects; disabling JavaScript where possible; and avoiding untrusted QuickTime files."

Now how Vista is affected by this is that the security is set up in such a way that Vista doesn't allow buffer overflows to happen, however, Apple programmers failed to enable ASLR addressing, and thus the reason why Vista will become open for malicious hackers, and software to get into a Vista running computer. Of course Apple was quick to fire off blame to Microsoft by saying ""If programmers are required to code their application differently, then it's not Apple's programmers who are at fault for not using ASLR, but Microsoft for not enforcing and making this feature a default behavior of all applications." So expect some back forth on this exploit between these two companies until a patch is made and the exploit is resolved.

Users and administrators can count on seeing more exploits of QuickTime and iTunes, Storms said. "Hackers will continue to target cross-platform media applications because it's what most users use on the Web; and there is a greater likelihood that a successful attack on Windows can be easily transformed for Apple. Both iTunes and QuickTime fall into this category and have been favorite haunts for hackers for some time now," he said.

It is also interesting to note that 7.3 just came out recently because of a exploit used in the TIFF files and some java support problems as well, and with the above quote expect QuickTime to become big in security related news next year. Of course will keep you updated on this exploit as well.

SOURCES
Article 1
Article 2
Symantec Trojan Info
Trojan Info #2

[rayzoredge 2]

So from what I understand, it's the RTSP protocol that allows for this vulnerability to happen? I was always under the impression that media files weren't able to harbor viruses; only archives, executables, and any other non-media file did (most commonly ZIPs, TARs, EXEs, etc.).I know that files can be renamed with extensions, but I didn't think that the scripts would execute because it couldn't be opened...So again, I'm just wondering: is it just because of the way streaming media is interpreted by the RTSP protocol?