'Month of Apple Bugs' begins with QuickTime exploit
“LMH” and Kevin Finisterre have begun the Month of Apple Bugs, a self-described initiative to “improve Mac OS X” by “finding security flaws in different Apple software and third-party applications designed for” Mac OS X. The initiative kicks off with a description of a flaw that affects QuickTime 7.1.3.
Tagged as “MOAB-01-01-2007,” it describes a vulnerability in QuickTime’s ability to handle Real Time Streaming Protocol (rtsp) hyperlinks.
“Exploitation of this issue is trivial, and stack NX can be rendered useless via ret-to-libc,” they continued.
The problem reported affects QuickTime 7.1.3, the current shipping version on both Mac OS X and Microsoft Windows. The MOAB team offers instructions for how to reproduce the problem, and suggest that the only workaround for it is to disable the rtsp:// URL handler, uninstall QuickTime “or simply live with the feeling of being a potential target for pwnage.”
“Pwnage” is Internet slang for being badly beaten by an opponent; the term originated with gamers.
LMH is the pseudonym of an as-yet unidentified hacker, and Kevin Finisterre is founder of Digital Munition and a Mac user. Finisterre has been credited with the creation of the InqTana worm, a Java-based proof of concept worm that exploited a vulnerability in Bluetooth on some Macs, which first came to light in February, 2006.