“The QuickTime vulnerability disclosed in the Windows version of QuickTime last week also affects Mac OS X, Symantec Corp. said today,” Gregg Keizer reports for Computerworld.
“According to additional research by Symantec’s security response team, the Real-Time Streaming Protocol (RTSP) bug in QuickTime is also present in the Mac versions of Apple Inc.’s media player. ‘We tested it, and the [proof-of-concept] exploit does cause a denial of service,’ said Marc Fossi, manager of the Symantec team, explaining that the Windows-specific attack code fails to give a hacker access to a Macintosh but instead causes QuickTime to crash,” Keizer reports. “Fossi cautioned Mac users against believing that they are in the clear. ‘QuickTime vulnerabilities have tended to affect both Windows and Mac OS X, and it’s always possible that a denial of service could lead to remote code execution,’ he warned.”
“Fossi also said that on Windows, it now appears that Microsoft Corp.’s Internet Explorer Versions 6 and 7, as well as the beta of Apple’s Safari browser, will offer some additional protection against attacks that are based on duping users into visiting malicious or compromised sites hosting rigged streaming content,” Keizer reports. “‘The buffer overflow protection built into IE and in Safari prevents the exploit shell code from executing in the [QuickTime] plug-in,’ said Fossi. To successfully attack a user via IE or Safari, the current exploit example would have to be refined, Symantec added in a posting to its security blog today. Firefox, however, provides no such protection.”
Full article here.