Thursday, 25 January 2007
Apple Plugs Zero-day QuickTime Flaw |
| |
|
| |
Apple has given out a patch that claims to curtail a security hole in its QuickTime media player software. Due to the vulnerability an attacker could exploit the flaw by placing a RTSP string in a QuickTime file and deceiving the user into opening that file, Apple said.
"A buffer overflow exists in QuickTime's handling of RTSP URLs," according to the Apple alert. "By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution." The update addresses the issue by performing additional validation of RTSP links, Apple said.
"The risk is having your system compromised by a remote attacker, who can perform any operation under privileges of your user account," said LMH, the alias of one of the two security researchers behind the Month of the Apple Bugs. "It can be triggered via JavaScript, Flash, common links, QTL files and any other method that starts QuickTime."
"Twenty two days for a remote issue that leads to code execution right away is sort of insane," the pseudonymous LMH said. "There was already an exploit and it was being abused in targeted attacks."
|
| |
|
|
| |
|
|
| |
|
|
| |
|
