0 Replies Latest reply on Nov 27, 2007 8:36 AM by HarryWaldron

    Apple QuickTime and iTunes Critical Vulnerabilities

      :eek: Quicktime and possibly iTunes processing could be affected by malformed RSTP headers found in QT music formats. Users should be careful with email attachments and website visitation, plus watch for any forthcoming QT updates, as Apple will most likely patch this serious vulnerability promptly.

      Apple QuickTime and iTunes Critical Vulnerabilities
      http://secunia.com/advisories/27755/
      http://isc.sans.org/diary.html?storyid=3690
      http://www.frsirt.com/english/advisories/2007/3984
      http://www.kb.cert.org/vuls/id/659761
      http://www.f-secure.com/weblog/archives/00001325.html

      QUOTE: Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header. This vulnerability may be exploited by convincing a user to connect to a specially crafted RTSP stream. Note that QuickTime is a component of Apple iTunes, therefore iTunes installations are also affected by this vulnerability. We are aware of publicly available exploit code for this vulnerability.

      ISC UPDATE-1: We have received a report that exploits are now working for Vista, XP, IE6, IE7, and Safari 3.0 on Windows. Keep in mind that other attack vectors may be vulnerable as well.

      ISC UPDATE-2: Firefox has been reported as an exploit vector as well.