{QUOTE-> Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

Software:Apple QuickTime 7.x

Description:
h07 has discovered a vulnerability in Apple QuickTime, which can be exploited by malicious people to compromise a user's system.
<-QUOTE}Secunia (http://secunia.com/advisories/27755/)

Interesting comment:

http://blogs.zdnet.com/security/?p=697&tag=nl.e589
{QUOTE-> "QuickTime is the new IE and Apple is the new Microsoft," said a researcher who works closely with both companies on vulnerability reports. <-QUOTE}This should not be taken to pick on just Apple, but to show that any piece of software is potentially subject to abuse. Microsoft is no longer the only player in the hot seat.

Usual vector of attack:

http://secunia.com/advisories/27755/
{QUOTE-> ... requires that the user is e.g. tricked into opening a malicious QTL file or visiting a malicious web site. <-QUOTE}A friend emailed last night that a check of all known exploit sites showed they were adult web sites. So far the attack's goal is the usual:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9050478&source=NLT_VVR&nlid=37
{QUOTE-> There are two types of attacks underway, Symantec said. In the first, victims' computers are being redirected from an adult Web site, Ourvoyeur.net, to another Web site that infects the computer with an application called loader.exe, <-QUOTE}

----
rich

Would disabling plugins prevent an attack through the browser?

Some workarounds are listed here:

Apple QuickTime RTSP Content-Type header stack buffer overflow
http://www.kb.cert.org/vuls/id/659761


----
rich

{QUOTE-> Would disabling plugins prevent an attack through the browser? <-QUOTE}
NoScript is your friend ;)

Thanks for the link Rmus. I didn't realize there were so many ways to help mitigate against the vulnerability.

You are welcome.

You will notice that most of the solutions end up disabling QT or it's functions.

Before thinking about employing a "work-around" solution, I consider:

1) the likelihood of encountering the exploit

2) what the exploit actually is

For 1) I noted in an above post the sources of the malicious files, and determined that I and users I help wouldn't be in that territory.

For 2) I noted what the work-around solutions actually accomplished:

{QUOTE-> Note that these workarounds block certain attack vectors, but do not remove the vulnerability. <-QUOTE}The vulnerability lets the exploit download/install an executable by remote code execution -- easily prevented by currently installed security -- in effect blocking the attack.

Conclusion: workaround solution not necessary in my case.

The same approach can apply to numerous such file-type exploits,such as .pdf, .doc.

Most of the time, to get relevant information, you have to dig further than the initial press release, which ususally doesn't give many technical details of the exploit.

It may be that one doesn't have to take drastic measures: just have careful user policies in place and security that prevents the particular exploit payload.

This suffices until a patch is released.


----
rich