Windows and Mac OS X Systems Vulnerable Due to QuickTime Flaw

A new vulnerability has been discovered in the very popular application QuickTime, which may be used by malicious people to compromise an affected system, security company Secunia wrote in an advisory published today. The "Apple QuickTime RTSP Reply Reason-Phrase Buffer Overflow" notification was flagged as highly critical, Secunia advising affected consumers to avoid
opening untrusted websites or opening malicious .QTL files. According to several reports, both Windows and Mac systems are affected. The vulnerability has been confirmed in version 7.3.1.70, but other versions may be also affected.

"Luigi Auriemma has reported a vulnerability in Apple QuickTime, which potentially can be exploited by malicious people to compromise a user's system", Secunia wrote in the notification published today.

"The vulnerability is caused due to a boundary error when handling RTSP replies and can be exploited to cause a buffer overflow via e.g. sending a specially crafted reply containing an overly-long 'Reason-Phrase'. Successful exploitation may allow execution of arbitrary code, but requires that the user is e.g. tricked into opening a malicious QTL file or visiting a malicious web site."

Apple QuickTime on Windows
 


As you may know, QuickTime 7.3.1.70 is the latest release coming from the Cupertino company Apple, so we'll have to wait for a new patch in order to use the program without any risk.

As I've said, QuickTime is pretty popular among the Internet consumers. In order to prove it, look for QuickTime on Softpedia.com and look for the number of downloads section. As you're able to see, no less than 84,399 users have downloaded the Windows flavor of the program, while the Mac version attracted only 22,470 hits. However, keep in mind that QuickTime is implemented into Mac OS X by default, so no download is necessary.

If you'd like to download the latest version of QuickTime, you can find the Windows version HERE while the Mac flavor can be downloaded from HERE.

[Source: softpedia]

0 comments