Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Apple QuickTime RTSP URL Handler Vulnerability

Published: 2007-01-03
Last Updated: 2007-01-03 08:33:07 UTC
by Scott Fendley (Version: 4)
0 comment(s)
 The Month of the Apple bugs seems to have started. The first bug is in the handling of RTSP URL's within Quicktime, leading to arbitrary code execution on both Windows and Mac OS. You can find the advisory here:
http://projects.info-pull.com/moab/MOAB-01-01-2007.html.  The MOAB blog states that you should disable the rtsp:// URL handler, however I have not determined how this is done.

Update 1:

Robert helped me find something I was missing.  Guess I am just blind today or was just paying a little too much attention to the bowl games. 

To disable RTSP URLs in QuickTime for Windows, open the QuickTime control panel.  Then, select the File Types tab.  Expand the Streaming category and make sure the RTSP stream descriptor is unchecked.  Here is a screen capture of this from my Windows based computer.   I recommend that you make sure that this is unchecked. 



Update 2: To disable RTSP URLs in QuickTime for OSX,  go to System Preferences -> QuickTime -> Advanced -> MIME Settings -> Streaming - Streaming Movies -> Uncheck RTSP stream descriptor.  Thanks Swa, David and Carl for helping me find where it is located on this architecture.  Here is the OSX screen capture.



Update 3: Our thanks to Rosyna from Unsanity.org who pointed out that the above fix for OSX may not be sufficient due to the round-about fashion in which QTL files are handled by OSX (it doesn't use the RTSP handler, hence disabling it isn't a complete fix). She points to this application package as a fix: http://landonf.bikemonkey.org/code/macosx/MOAB_Day_1.20070102060815.15950.zadder.local.html . NOTE: this fix requires a third party application to be loaded which may introduce its own set of issues and vulnerabilities!
-tk
Keywords:
0 comment(s)
Diary Archives