Security vulnerability attack released for Apple Quicktime

Without notifying Apple of his intent to do so, security researcher Luigi Auriemma has released an exploit that will allow attackers to take control of computers running the latest version of Apple Quicktime.

“The bug is a buffer-overflow and the return address can be fully overwritten so a malicious attacker could use it for executing malicious code on the victim,” Auriemma said in an e-mail.

. . .

Auriemma said that Apple was not been notified of the flaw in advance of its publication.

When Apple updated QuickTime to version 7.3.1 on December 13, 2007, it fixed an RTSP buffer overflow bug (CVE-ID: CVE-2007-6166) related to the content-type/content-base header. The vulnerability Auriemma has identified relates to error message handling and remains unpatched.

I’m guessing Apple will get a patch out quite quickly for this one, but in the meantime, practice safe browsing and consider disabling Quicktime until a patch is available.