Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Active exploitation of Quicktime RTSP Response vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Active exploitation of Quicktime RTSP Response vulnerability

Symantec is reporting an active exploit site for the QuickTime RTSP Response vulnerability described in CVE-2007-0166. Currently, the malicious stream is hosted at port 554 on the server 85.255.117.212. While we can already confirm the exploit, we are currently investigating and will publish further detail when it becomes available.

As in our previous diary entry on this, we recommend following US-CERT's recommendations:

  • Setting the kill bit for the following Quicktime CLSIDs for Internet Explorer:
    {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
    {4063BE15-3B08-470D-A0D5-B37161CFFD69}
  • Disabling the QuickTime plug-in for Mozilla browsers;
  • Disable QuickTime file associations;
  • Filter traffic on the common RTSP ports (554/tcp and 6970-6999/udp). This provides only partial mitigation.

Each of these does make the use of valid Quicktime content next to impossible, so please be aware of the impact this may have on your organization. 

--
Maarten Van Horenbeeck

Maarten

158 Posts

Sign Up for Free or Log In to start participating in the conversation!