Attackers are trying to make use of the exploit code released last week for Apple’s popular QuickTime media player, prompting Symantec to raise its ThreatCon back to Level 2. Here’s the email advisory sent to customers of Symantec’s DeepSight threat management service:
The ThreatCon is currently at Level 2. As of December 1, 2007 the DeepSight honeynet has observed active exploitation of the Apple QuickTime RTSP Response Header Remote Stack Based Buffer Overflow Vulnerability. This vulnerability was originally disclosed on November 23, 2007 and since this time we have seen numerous exploits targeting the flaw being released to the public. At the time of writing, there has been no vendor-supplied patch released for this issue.
The attack observed was hosted on 184.108.40.206 (2005-search.com) over TCP port 554. Additionally the IP address is hosting a web server, which contains script code directing users to the exploit. The IP hosting the attack is referenced by another domain, resolving to 220.127.116.11.
Customers are urged to filter outgoing access to these IP addresses immediately to aid in immediate prevention of exploitation. Symantec is currently investigating this attack further. Currently the main script page users will come into contact with prior to exploitation is detected by Symantec as Downloader.