Apple QuickTime flaw could enable botnets

By Bill Brenner, Senior News Writer 02 Jan 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

In a posting on his Apple Fun blog, LMH described the flaw as a stack overflow error that surfaces when the program handles a malformed "rtsp" URL. To exploit this, attackers could set up a malicious Web site and lure users there. Or, they could trick users into opening a malicious .qtl file.

For more information Check out our resources on Mac OS security Nearly one year ago, Apple fixed multiple flaws in QuickTime

The flaw affects Apple QuickTime version 7.1.3 as well as earlier versions. As of Monday morning, Apple had not yet acknowledged the flaw, and the Cupertino, Calif.-based vendor did not immediately respond to a request for comment.

The French Security Incident Response Team (FrSIRT), which deemed the issue critical, recommended in an advisory that users disable Real Time Streaming Protocol support to mitigate the threat.

Calling the security hole highly critical, Danish vulnerability clearinghouse Secunia recommended in its advisory that users refrain from opening untrusted .qtl files.

This is LMH's second month-long project to expose numerous flaws affecting major computer vendors. In November, he conducted what was called the Month of Kernel Bugs, which was inspired by the Month of Browser Bugs spearheaded by Metasploit Framework creator H.D. Moore last July.

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Alternative OS security: Mac, Linux, Unix, etc.,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Alternative OS security: Mac, Linux, Unix, etc. Machiavelli Mac OS X rootkit unveiled at Black Hat How secure is 'Platform as a Service (PaaS)?' Security comparison: Mac OS X vs. Windows Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method Alternative OS security: Mac, Linux, Unix, etc. Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary