Windows users are vulnerable to a QuickTime bug, according to security researchers. The critical bug in Apple QuickTime 7.2 and 7.3 is in the player's handling of the Real Time Streaming Protocol (RTSP), an audio/video streaming standard, according to alerts posted by Symantec and the US Computer Emergency Readiness Team (US-CERT).
The researchers said attackers could exploit the flaw by duping Windows users into visiting malicious or compromised websites hosting specially-crafted streaming content, or by convincing them to open a rigged QTL file attached to an email message.
Symantec credited Polish research Krystian Kloskowski with first reporting the zero-day vulnerability on Milw0rm. By Saturday, Kloskowski and an unnamed researcher identified as 'InTeL' had followed up with separate proof-of-concept examples that executed on Windows XP SP2 and Windows Vista machines running QuickTime 7.2 or 7.3.
A successful exploit would let the attacker install additional malware - spyware or a spambot, say - or cull the system for information such as passwords. An attack that failed would likely only crash QuickTime.
A gaffe by Apple's developers, however, makes attack easier on Vista, said InTeL, who claimed that the QuickTimePlayer binary does not have Address Space Layout Randomisation (ASLR) enabled. ASLR is a Vista security feature that randomly assigns data and application components, such as .exe and .dll files, to memory to make it tougher for attackers to determine the location of critical functions or vulnerable code.
Apple's forgetfulness prompted Symantec analyst Anthony Roe to note: "This makes reliable exploitation of the vulnerability a lot easier."
Another Symantec researcher, Patrick Jungles, added that QuickTime vulnerabilities usually draw attackers quickly. "In the past, we have seen a very short period of time between the release of proof-of-concept exploits for QuickTime vulnerabilities and the development of working exploits by attackers," said Jungles in a note to customers of his company's DeepSight threat network. "Popular applications such as QuickTime are strong candidates for exploitation in the wild."
Apple last patched QuickTime less than three weeks ago when it released version 7.3 to fix a number of critical image-rendering and Java-related vulnerabilities. So far in 2007, Apple has issued six QuickTime security-related updates that have fixed a total of 31 flaws.
For more PC security news, reviews and tutorials, see Security Advisor