Just days after first finding an exploit in Apple’s QuickTime multimedia software, a proof-of-concept exploit has been published. The vulnerability was found in QuickTime 7.2 and 7.3, according to research firm SecurityFocus.
The vulnerability is triggered in the way QuickTime handles malicious RTSP data streams. Symantec says the exploit could be used by sending unsuspecting users a file with an extension typically associated with QuickTime, such as .mov or .3gp. The file is not a media file, rather it is an XML file that will force the player to open an RTSP connection on port 554 to the malicious server hosting the exploit.
According to Symantec, the QuickTime Player then contacts the remote server, receives back the malformed RTSP response which triggers the buffer overflow and the execution of the attacker’s shellcode immediately.
The exploit can also be used in a Web browser by having the user click on a URL. The attack has been tested against “some of the common Web browsers,” but with Internet Explorer 6/7 and Safari 3 Beta the attack is prevented.
Firefox users are not as lucky. Because Firefox allows users to play multimedia files in the QuickTime Player application, the current version of the exploit works perfectly against Firefox if users have chosen QuickTime as the default player for multimedia formats, according to Symantec.
Symantec Antivirus will detect the exploit as Trojan.Quimkids. The company recommended several other measures users can employ to further protect themselves including prohibiting the RSTP protocol on your networks; disabling QuickTime browser objects; disabling JavaScript where possible; and avoiding untrusted QuickTime files.