The flaw – discovered by Polish researcher Krystian Kloskowski – occurs when the latest version of the popular media player processes real-time streaming protocol (RTSP) replies, according to a Secunia advisory. The bug can be exploited to launch a stack-based buffer overflow that gives hackers the ability to infect machines with malicious code.
"It can result in code execution with the privilege level of the user who is running QuickTime," Mark Fossi, manager of Symantec Security Response, told SCMagazineUS.com today. "So if you have a user who is logged in with administrative privileges, obviously any code that executes would be as the administrator."
The exploit – which works on QuickTime version 7.3 – can be propagated either by tricking a user into opening a malicious email attachment or visiting a compromised website, Fossi said. In the case of the latter, this particular attack could be incorporated into the MPACK toolkit, he said.
The Cupertino, Calif.-based computing giant released version 7.3 on Nov. 5 to resolve a number of vulnerabilities that could have led to arbitrary code execution. It is the fourth edition of QuickTime to be released this year, according to Apple.
An Apple spokeswoman could not be reached for comment today.
Fossi said he has witnessed an increase in the number of vulnerabilities targeting all media players.
"It has a lot to do with the amount of multimedia content that is available online, and you combine the wide availability of broadband," he said. "You've got a lot more people using the internet for streaming video. A lot of people are very willing to follow links to a video. That makes a really good attack surface."
In lieu of a patch for this vulnerability, users can block the RTSP protocol, disable the QuickTime ActiveX controls in Internet Explorer or disable the QuickTime plug-in in Mozilla Firefox, according to a US-CERT vulnerability note.
As a general rule, users should also avoid accessing QuickTime files from untrusted sources, US-CERT said.
Proof-of-concept exploit targets Apple QuickTime
By Dan Kaplan on Nov 27, 2007 10:22AM