The vulnerability researcher known as LMH kicked off what he calls
a "Month of Apple Bugs" Monday by detailing a new flaw in Apple
Computer's widely used QuickTime media player. Attackers could
exploit the issue to draft new machines into their botnets.
In a posting on his
Apple Fun blog, LMH described the flaw as a
stack overflow error that surfaces when the program handles a
malformed "rtsp" URL. To exploit this, attackers could set up a
malicious Web site and lure users there. Or, they could trick
users into opening a malicious .qtl file.
The flaw affects Apple QuickTime version 7.1.3 as well as earlier
versions. As of Monday morning, Apple had not yet acknowledged the
flaw, and the Cupertino, Calif.-based vendor did not immediately
respond to a request for comment.
The French Security Incident Response Team (FrSIRT), which
deemed the issue critical, recommended in an
advisory that users disable Real Time Streaming
Protocol support to mitigate the threat.
Calling the security hole highly critical, Danish vulnerability
clearinghouse Secunia recommended in its
advisory that users refrain from opening
untrusted .qtl files.
This is LMH's second month-long project to expose numerous flaws
affecting major computer vendors. In November, he conducted what
was called the
Month of Kernel Bugs, which was inspired by
the
Month of Browser Bugs spearheaded by
Metasploit Framework creator H.D. Moore last July.