US-CERT Technical Cyber Security Alert TA07-005A -- Apple QuickTime RTSP Buffer Overflow

National Cyber Alert System

Technical Cyber Security Alert TA07-005A

Apple QuickTime RTSP Buffer Overflow

Original release date: January 05, 2007
Last revised: January 24, 2007
Source: US-CERT

Systems Affected

Apple QuickTime on systems running

Apple Mac OS X
Microsoft Windows

Note that Apple iTunes and other software using the vulnerable QuickTime components are also affected.

Overview

Apple QuickTime contains a buffer overflow in the handling of RTSP URLs. This can allow a remote attacker to execute arbitrary code on a vulnerable system.

I. Description

A vulnerability exists in the way Apple QuickTime handles specially crafted Real Time Streaming Protocol (RTSP) URL strings. Public exploit code is available that demonstrates how opening a .QTL file triggers the buffer overflow. However, we have confirmed that other attack vectors for the vulnerability also exist.

Possible attack vectors include

a web page that uses the QuickTime plug-in or ActiveX control
a web page that uses the rtsp:// protocol
a file that is associated with the QuickTime Player

US-CERT is tracking this issue as VU#442497. This reference number corresponds to CVE-2007-0015.

Note that this vulnerability affects QuickTime on Microsoft Windows and Apple Mac platforms. Although web pages can be used as attack vectors, this vulnerability is not dependent on the specific web browser that is used.

II. Impact

By convincing a user to open specially crafted QuickTime content, a remote, unauthenticated attacker can execute arbitrary code on a vulnerable system.

III. Solution

Install an update

Apple has released Security Update 2007-001.

The Mac OS X update is available via Software Update or from Apple Downloads.

The Microsoft Windows update is available through Apple Software Update, which is included with QuickTime 7.1.3. An updated version of "%ProgramFiles%\QuickTime\QuickTimePlayer.exe" has file version 7.1.3.191.

IV. References

US-CERT Vulnerability Note VU#442497 - <http://www.kb.cert.org/vuls/id/442497>
Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/>
About Security Update 2007-001 - <http://docs.info.apple.com/article.html?artnum=304989>
Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704>
Apple - Support - Search Results - <http://search.info.apple.com/?search=Go&q=2007-001>
How to repair Software Update for Windows - <http://docs.info.apple.com/article.html?artnum=304264>
Apple - QuickTime - Download - <http://www.apple.com/quicktime/download/win.html>
CVE-2007-0015 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015>

Feedback can be directed to US-CERT.

Produced 2007 by US-CERT, a government organization. Terms of use

Revision History

January 05, 2007: Initial release
January 23, 2007: Updated Solution section
January 24, 2007: Updated Solution section with Windows information

Last updated January 24, 2007

US-CERT: United States Computer Emergency Readiness Team

Information For

Sign Up

Reporting

DHS Threat Advisory