A security researcher who ferreted out the year's first vulnerability for Apple's QuickTime media player, has posted proof-of-concept exploit code. Within hours, a second researcher chimed in to say it appears that only the Windows version of QuickTime is vulnerable; the Mac OS X edition apparently doesn't exhibit the same dangerous behavior.
Luigi Auriemma, a 27-year-old Italian researcher who broke the news of the flaw on Thursday, said that the most recent version of QuickTime is prone to a buffer overflow that, if successfully exploited, gives the attacker free rein over a user's computer. He posted information and proof-of-concept code on security site, milw0rm, his own website and multiple mailing lists.
The problem, said Auriemma, is when QuickTime tries to open a Real-Time Streaming Protocol (RTSP) connection and the server has closed TCP Port 544. The player then automatically tries to open an HTTP connection on Port 80. An attacker can exploit the weakness by duping a user into visiting a malicious site that includes an rtsp:// link; when QuickTime fails to connect, it would automatically seek out an HTTP server on the same system. The attacker, of course, would have made sure that there was an HTTP server there and would have populated it with the exploit.
Symantec's DeepSight threat network and US-CERT both posted advisories Thursday after confirming the vulnerability. Symantec downplayed the proof-of-concept's efficacy: "In its current state, [the proof-of-concept] is not capable of achieving arbitrary code execution."
Although US-CERT's alert didn't confirm that, it did suggest several defensive moves in lieu of a patch from Apple. "Uninstalling QuickTime will mitigate this vulnerability," said the organization, which is part of the U.S. Department of Homeland Security. "Blocking the RTSP protocol with proxy or firewall rules may help mitigate this vulnerability [and] users of Mozilla-based browsers such as Firefox can disable the QuickTime plug-in."
They can also set the "kill bit" of Internet Explorer, said US-CERT, while Firefox users can protect themselves by installing the NoScript plug-in.
About three hours after Auriemma posted his findings on the Bugtraq security mailing list, another Italian researcher, Marcello Barnaba, reported that his tests indicated only the Windows version is vulnerable. "Tried on QuickTime 7.3.10 running on OSX 10.5.1, and the player doesn't try to connect to port 80 if 554 is closed," said Barnaba. "So the bug should lie somewhere in the 'fallback' that [QuickTime] employs on Windows when finding out that the [RTSP] port is closed."
Auriemma's discovery is only the latest in a long line of QuickTime bugs. During 2007, Apple plugged at least 34 holes in the player. Less than a month ago, in fact, Apple fixed an RSTP flaw in QuickTime that had been reported several weeks earlier by a Polish security researcher.
The bug plague isn't limited to QuickTime, but affects virtually every media player, noted Andrew Storms, director of security operations at nCircle. "If you haven't come to the realization yet that media players are a significant target and likewise a threat to information security, then it's time to take notice and take action," said Storms. "Winamp, RealPlayer, QuickTime and iTunes all realised security vulnerabilities in 2007.
"Enterprises [should] reevaluate these products' rewards versus risk, and there is plenty of evidence on the side of risk at the moment."
Apple officials did not immediately respond to a request for comment.