Apple QuickTime contains a stack buffer overflow vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition.
Real Time Streaming Protocol (RTSP) is a protocol that is used by streaming media systems. The Apple QuickTime Streaming Server and QuickTime player both support RTSP.
Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header. This vulnerability may be exploited by convincing a user to connect to a specially crafted RTSP stream. Note that QuickTime is a component of Apple iTunes, therefore iTunes installations are also affected by this vulnerability. We are aware of publicly available exploit code for this vulnerability.
By convincing a user to connect to a specially crafted RTSP stream, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. An attacker can use various types of web page content, including a QuickTime Media Link file, to cause a user to load an RTSP stream.
Apple has released QuickTime 7.3.1 to address this issue. Until updates can be applied, please consider the following workarounds. Note that these workarounds block certain attack vectors, but do not remove the vulnerability.
This vulnerability was publicly disclosed by Krystian Kloskowski.
This document was written by Ryan Giobbi and Will Dormann.
|Date First Published:||2007-11-24|
|Date Last Updated:||2008-01-11 00:39 UTC|