Apple Vulnerability Project Launches with QuickTime Exploit

[s18000rpm]

An easy-to-exploit security vulnerability in Apple Computer's QuickTime media player could put millions of Macintosh and Windows users at risk of code execution attacks. The QuickTime flaw kicked off the Month of Apple Bugs project, which promises to expose unpatched Mac OS X and Apple application vulnerabilities on a daily basis throughout the month of January.

According to an advisory released Jan. 1, the flaw exists in the way QuickTime handles a specially rigged "rtsp://" URL. "By supplying a specially crafted string, [an] attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition," said LMH, one of the mysterious hackers behind the controversial project.

LMH said the issue was successfully exploited in QuickTime Player Version 7.1.3. Previous versions are likely vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected.

The Cupertino, Calif.-based Apple markets QuickTime as a platform for the handling of video, sound, animation, graphics, text and music. The technology—and media player—is available for Windows and Mac users, making it a lucrative target for malware writers.

"The only potential workaround would be to disable the "rtsp://" URL handler, uninstalling QuickTime or simply live with the feeling of being a potential target," according to the advisory.

Source : eWeek.com

 

[aryayush]

Ho hum... :yawn: *www.cerocforum.com/images/smilies/msn/Sleepy.gif

 

[gxsaurav]

lolz...arya, just like always.....a critical bug, but no one cares among mac users. When tomorrow it is exploited indeed, even then u won't care

 

[iMav]

because its a bug in the apple .... doosre ki thalli mein kida toh haste hain apni thaali mein toh bolte hain chalta hai koi farak nahi

 

[aryayush]

I will pay heed to these crazy attention-seeking pretentious projects the day an actual virus makes its way onto my Macintosh (which has no anti-virus software installed).
BTW, this project proves its silliness in the second day itself by posting a bug for the VLC media player, an open source, community driven application which has a Windows counterpart too. Even Windows PCs are affected by the vulnerability. So how come they term it as an 'Apple bug'! They are already grabbing at straws.
This is just an over-hyped, stupid and hypocritical project intended to get widespread media attention. If they were to do a similar project for Windows, they would have had to christen it 'The sixty years of Windows bugs'! LOL!

a critical bug, but no one cares among mac users.

Which is why Landon Fuller, a former Apple engineer, has already released a fix for the QuickTime vulnerability on his website and the VLC team is already working on a fix and will be releasing it soon.

When tomorrow it is exploited indeed, even then u won't care

I've been waiting for this 'tomorrow' since forever...