Exploit for Apple QuickTime Vulnerability in the Wild

On November 25, we blogged about a proof of concept exploit code for Apple's QuickTime RTSP Response Header Remote Stack Based Buffer Overflow Vulnerabilitybeing disclosed to the public. Now a week has passed and Symantec'sDeepSight honeynet has spotted at least one active exploitation in thewild.

Originally, the flaw was disclosed on November 23, 2007 by Polishsecurity researcher Krystian Kloskowski and since then we have seennumber of exploits targeting the vulnerability being released to thepublic. But now the exploit is active and in the wild, meaning websurfers are in danger of being attacked. Our current analysis is alsoleading us to believe that there may be multiple attacks in existence.Further investigation is currently under way to confirm this.

Let me briefly explain what we have seen. The attack we haveconfirmed today begins with the popular IFRAME. An IFRAME code thatcauses the browser to make an additional request to another URL, isembedded in a porn site. Without knowledge, users visiting this siteare redirected to the malicious site serving the exploit. Currently,the malware that is downloaded by the exploit is detected by Symantecas Downloader. We are still studying the attack in depth, so look outfor more information at a later time.

Since a patch to correct the issue has yet to be released, we adviseusers to be cautious when browsing the web. For those of you seekingextra protection, we also recommend the following options:

- Run web browsers at the highest security settings possible
- Disable Apple QuickTime as a registered RTSP protocol handler.
- Filter outgoing activity over common RTSP ports, including TCP port 554 and UDP ports 6970-6999.