QuickTime Exploit Greets 'Month of Apple Bugs' Both Mac and Windows Users Effected by QuickTime Exploit Ed Sutherland
A quick and easy exploit of a flaw in Apple's QuickTime application may have Mac and Windows users beginning the New Year with a fresh round of security concerns. The exploit kicks off the Month of Apple Bugs (MOAB) project, the goal of which is to reveal problems with the Mac OS X operating system before informing vendors.
A problem in how QuickTime handles URLs could pose a risk, according to MOAB, which described the vulnerability as being "trivial" to exploit and released code displaying "Happy New Year" on systems running QuickTime and QuickTime Player versions 7.13 and earlier.
Apple was not immediately available for comment.
Using the flaw in how QuickTime handles the "rtsp://" URL, a specially crafted string could overflow a stack's buffer, "leading to an exploitable remote arbitrary code execution condition," according to the MOAB bulletin.
The group announced an exploit, explaining it preferred to release the security vulnerability prior to notifying vendors.
"The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial," the group explained.
