First Quicktime Vulnerability of 2008

By Dave Nixon

Luigi Auriemma, the security researcher responsible for identifying the year’s first vulnerability for Apple’s QuickTime media player, has published the proof-of-concept exploit code. Immediately, a second researcher interjected that it appears only the Windows version of QuickTime is in danger; It seems that the Mac OS X edition doesn’t display the same dangerous mannerisms.

Luigi, breaking the news of the defect last week, said that the latest version of QuickTime is susceptible to a buffer overflow that, if effectively exploited, provides the attacker with control over a user’s computer. He posted information and proof-of-concept code on his personal mailing list and security site, milw0rm.

The trouble, said Auriemma, occurs when QuickTime attempts to open a Real-Time Streaming Protocol (RTSP) connection and the server has closed TCP Port 544. QuickTime then routinely attempts to open an HTTP connection on Port 80.

The weakness can be exploited by duping a user into visiting a malicious site that includes an rtsp:// link; when QuickTime fails to connect, it would automatically search for a HTTP server on the same system. The attacker, naturally, would have ensured the existence of a HTTP server and would have loaded it with the exploit.

Symantec’s DeepSight threat network and US-CERT both posted directives on Thursday after validating the vulnerability. Symantec attached little importance to the proof-of-concept’s effectiveness: “In its current state, [the proof-of-concept] is not capable of achieving arbitrary code execution.”

US-CERT, which is part of the U.S. Department of Homeland Security, suggested “Uninstalling QuickTime will mitigate this vulnerability. Blocking the RTSP protocol with proxy or firewall rules may help mitigate this vulnerability [and] users of Mozilla-based browsers such as Firefox can disable the QuickTime plug-in.”

US-CERT stated that additionally they can set the “kill bit” of Internet Explorer, while Firefox users can safeguard themselves by installing the NoScript plug-in.

Approximately three hours after Auriemma published his conclusion on the Bugtraq security mailing list, a different Italian researcher, Marcello Barnaba, reported that his analysis indicated that only the Windows version is vulnerable. He stated “Tried on QuickTime 7.3.10 running on OSX 10.5.1, and the player doesn’t try to connect to port 80 if 554 is closed. So the bug should lie somewhere in the ‘fallback’ that [QuickTime] employs on Windows when finding out that the [RTSP] port is closed.”

Auriemma’s finding is only the most recent in a multitude of QuickTime bugs. During 2007, Apple plugged at least 34 holes in the player. Less than a month ago, actually, Apple fixed an RSTP defect in QuickTime that had been detailed several weeks earlier by a Polish security researcher.

The infection epidemic isn’t restricted to QuickTime, but affects practically all media players, noted Andrew Storms, director of security operations at nCircle. “If you haven’t come to the realization yet that media players are a significant target and likewise a threat to information security, then it’s time to take notice and take action,” said Storms. “Winamp, RealPlayer, QuickTime and iTunes all realised security vulnerabilities in 2007.

“Enterprises [should] re-examine these products’ advantages against risk, and there is plenty of evidence on the side of risk at the moment.”

Apple representatives did not instantly reply to a request for comment.