A Bug in Quicktime Leaves Video Watchers Vulnerable

There’s a “Highly Critical” vulnerability that exists in the Apple QuickTime handling of rtsp:// URLs which was reported by NIST (National Institute of Standards and Technology).

There’s a “Highly Critical” vulnerability that exists in the Apple QuickTime handling of rtsp:// URLs which was reported by NIST (National Institute of Standards and Technology). According to reports the exploit causes a stack-based buffer overflow that can lead to remote arbitrary code execution. The vulnerability affects both the Windows and Apple OS X versions with QuickTime Player version 7.1.3 installed; previous versions are also probably vulnerable.

The bug was discovered by LMH, a MOAB organizer who hasn’t disclosed his name.

So if you use Quicktime for your rich media content you should be aware of the vulnerability that exists in the software.

What happens is that a malicious URL can be accessed when using the rtsp:// link or by utilizing a page that embeds a link with using rtsp:// using HTML or Javascript.

NIST stated that the only way to prevent the vulnerability is to disable the rtsp:// URL handler or uninstall QuickTime all together. So if you’re one of those avid movie watchers or MySpace fans you should be warned that you should uninstall the program you could be attacked by malicious code on web pages and could take over a system.

There is no patch available at this time.