Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Apple QuickTime 7.3 RTSP Response 0day

Published: 2007-11-26
Last Updated: 2007-11-29 18:02:05 UTC
by Joel Esler (Version: 9)
1 comment(s)

Thank you all for writing in!!  We appreciate it, things have been a little crazy around the ISC today, so we haven't been able to throw some stuff up on the diary about the Quicktime bug.  (We've had to wake everyone up, they all ate turkey..tryptophan... it's not pretty, anyway...)

As outlined by Secunia, Apple's Quicktime 7.2 and 7.3 has a overwrite condition via incorrect rtsp parsing.  Check it out here

There are several things you can do until this gets patched (just remember to undo them after you patch!).

1) Block the RTSP protocol.  Ports are 554/tcp and 6970-6999/udp.

CORRECTION:  The RTSP protocol can go over any port. (Thank you for correcting me.)  The US-CERT exact verbiage says:

"Blocking the RTSP protocol with proxy or firewall rules may help mitigate this vulnerability. Note that RTSP (default 554/tcp and 6970-6999/udp) may use a variety of port numbers, so blocking the protocol based on a particular port may not be sufficient."

Excuse my poor paraphrasing.

2) Set the Killbit for Quicktime CLSID's:


There are some other recommendations over at the US-CERT site.  But like I said, remember to undo them after the patch, or you will be wondering why things aren't working with your Quicktime streams. 

Please remember that Quicktime is a component of iTunes...


UPDATE:  We have received a report that exploits are now working for Vista, XP, IE6, IE7, and Safari 3.0 on Windows.  Keep in mind that other attack vectors may be vulnerable as well.

UPDATE-2:  Firefox has been reported as an exploit vector as well.

UPDATE-3:  Thanks to a friend of mine:  What's wrong with this picture?  Boy this vulnerability looks familiar...

UPDATE-4:  We recommend following US-CERT's guidelines.  I've been asked alot "what do you know, what can I do".  Welp, that's what I recommend.

 UPDATE-5:  Looks like the exploit is now affecting OSX.  With this single exploit it affects:

"+leopard_ppc +leopard_x86 +tiger_x86 +tiger_ppc +win_xpsp2"

Joel Esler

1 comment(s)

With popularity comes responsibility

Published: 2007-11-26
Last Updated: 2007-11-26 19:44:31 UTC
by Stephen Hall (Version: 1)
0 comment(s)

There has been a considerable growth in online collaboration tools. Wiki's are an excellent example of these, and the growth of their use has been dramatic.

However, this success can lead to logistical issues when security advisories are released. Today we have had a reader contact us with a plea to help alert users of TikiWiki that there are exploits being actively attacked.

The TikiWiki team have been working hard on fixing a number of reported vulnerabilities with their Wiki. However it is the site administrators that have been slow to update their systems.

Mose from the TikiWiki project has been very helpful in highlighting that they are working on a new administration pane within their application which will alert administrators to new releases being available. Until then, if you are using TikiWiki, please update to the latest release. For details go to :

0 comment(s)
Diary Archives