Researchers discover new QuickTime vulnerability

The United States Computer Emergency Readiness Team (US-CERT) has discovered a new buffer overflow vulnerability with Apple’s QuickTime media software.

The vulnerability affects both Mac and Windows operating systems. Because QuickTime is part of Apple’s popular iTunes jukebox software, that application is also affect, researchers said.

The vulnerability is found in the way QuickTime handles RTSP response messages. When attempting to display a specially crafted Reason-Phrase, QuickTime Player crashes at a memory location that can be controlled by an attacker, according to US-CERT.

The organization also said that they are aware of publicly available proof-of-concept code for this vulnerability.

US-CERT offers several solutions to the problem including uninstalling QuickTime, Blocking the RTSP protocol and disabling the QuickTime plug-ins in your Web browser.

Attackers targeted QuickTime in December in a separate RTSP vulnerability that Apple later fixed with a software update.

Apple representatives were not immediately available for comment.

Subscribe to the Apple @ Work Newsletter

Comments