Zero-day exploit in QuickTime could hit Win iTunes users: "
Filed under: Security
Over the weekend, security researchers announced a vulnerability in QuickTime's handling of the RTSP streaming protocol, and Windows-only exploit code is already circulating. The flaw allows attackers to craft specially formatted RTSP responses that cause a buffer overflow, and as a result they can execute arbitrary code in the context of the logged-in user. Unfortunately, there are plenty of ways to get someone to click a malicious RTSP link, including sending it in email or including it on a website. While Symantec notes that IE and Safari for Windows appear to be resistant to the exploit code, opening a malicious RTSP link in current versions of Firefox or in QuickTime Player would allow the exploit to run.For now, there is no Mac version of the exploit (cold comfort to the millions of iTunes for Windows users); hopefully there will be a QuickTime security patch on both platforms before any additional exposure occurs. Rich Mogull at TidBITS has some helpful tips for securing your network, including blocking the RTSP protocol both at the firewall and for outbound connections via Little Snitch.[via TidBITS](Via The Unofficial Apple Weblog (TUAW).)
No comments:
Post a Comment