Computer Reviews and Computer Products – Computer Shopper


Search:
Go!


Today on CNET
Reviews
News
Downloads
Tips & Tricks
CNET TV
Compare Prices
Blogs
Cell phones| Desktops| Digital cameras| Laptops| MP3 players| TVs| All Categories
CNET's free newsletters


Rob Vamosi's
award-winning
column on Internet threats and how to counter them  
Delivered Mondays
Sign up now
All free newsletters

CNET Security Center: Your complete source of antivirus and Internet security information.

Apple QuickTime rtsp URL handler buffer overflow
A flaw in real-time streaming of QuickTime videos could allow remote attackers to compromise your Windows or Mac system.
By Robert Vamosi (January 2, 2007)

QUICK FACTS
Name: Apple QuickTime rtsp URL handler buffer overflow

Date first reported: 01/01/07

Vulnerable software: Microsoft Windows and Mac OS X versions of QuickTime Version 7.1.3, Player Version 7.1.3, and earlier.

What it does: Could allow remote access and execution of malicious code.

Recommendations: Not clicking on links beginning with "rtsp://"; or disable the QuickTime rtsp:// URL handler; or uninstall Quicktime.

Exploit code available: Yes

Vendor patch available: No
8
out of 10
INTERNET THREAT RATING
How we rate
There's a buffer overflow affecting both the Windows and Mac version of Apple QuickTime 7.1.3 real-time streaming protocol (rtsp). The flaw allows remote attackers to execute arbitrary code which could allow remote access and the arbitrary execution of malicious code on compromised machines. If a user clicks a very long and specially crafted QuickTime video URL, an attacker could load malicious code onto Microsoft Windows or Apple Mac OS X machines.

At this time, there is no patch available from Apple. Users should avoid clicking URLs that begin with "rstp://." One workaround within QuickTime is to disable the rtsp:// URL handler. To do so, Mac users should open QuickTime, go to Preferences, click the Advanced tab, and select Mime Settings; once there, uncheck the box next to Streaming - Streaming Movies. For Windows users, click Edit, then Preferences, and then QuickTime Preferences. Select File Types from the pull-down menu or tab options. On the File Types page click Streaming - Streaming Movies to display additional options and uncheck the box next to RSTP stream descriptor if necessary.

Additional Resources:

NIST: CVE-2007-0015

MOAB: MOAB-01-01-2007

Milworm.com: 3064



Help Center|Newsletters|Corrections|What's New|All Product Reviews|
Search:
Go!

Popular topics: Apple | Antivirus | Cell Phones | Dell | Digital Camera | Firefox 3 | Games | iPhone | iPod | iTunes | Laptops | Norton | PS3 | Verizon | Wii | Xbox 360
CNET.com
About CNET|Today on CNET|Reviews|News|Compare prices|Tips & Tricks|Downloads|CNET TV
Popular on CBS sites: Fantasy Football | Miley Cyrus | MLB | Wii | GPS | Recipes | Mock Draft
About CNET Networks | Jobs | Advertise


© 2008 CNET Networks, Inc., a CBS Company. All rights reserved. | Privacy Policy | Terms of Use