LMH says Apple QuickTime flaw could enable botnets

News

LMH says Apple QuickTime flaw could enable botnets

Bill Brenner, Senior News Writer
The vulnerability researcher known as LMH kicked off what he calls a "Month of Apple Bugs" Monday by detailing a new flaw in Apple Computer's widely used QuickTime media player. Attackers could exploit the issue to draft new machines into their botnets.

In a posting on his Apple Fun blog, LMH described the flaw as a stack overflow error that surfaces when the program handles a malformed "rtsp" URL. To exploit this, attackers could set up a malicious Web site and lure users there. Or, they could trick users into opening a malicious .qtl file.

For more information

Check out our resources on Mac OS security

Nearly one year ago, Apple fixed multiple flaws in QuickTime
The flaw affects Apple QuickTime version 7.1.3 as well as earlier versions. As of Monday morning, Apple had not yet acknowledged the flaw, and the Cupertino, Calif.-based vendor did not immediately respond to a request for comment.

The French Security Incident Response Team (FrSIRT), which deemed the issue critical, recommended in an advisory that users disable Real Time Streaming Protocol support to mitigate the threat.

Calling the security hole highly critical, Danish vulnerability clearinghouse Secunia recommended in its advisory that users refrain from opening untrusted .qtl files.

This is LMH's second month-long project to expose numerous flaws affecting major computer vendors. In November, he conducted what was called the Month of Kernel Bugs, which was inspired by the Month of Browser Bugs spearheaded by Metasploit Framework creator H.D. Moore last July.

Related Topics: PC hardware, VIEW ALL TOPICS

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy