Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Active exploitation of Quicktime RTSP Response vulnerability SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Active exploitation of Quicktime RTSP Response vulnerability

Symantec is reporting an active exploit site for the QuickTime RTSP Response vulnerability described in CVE-2007-0166. Currently, the malicious stream is hosted at port 554 on the server While we can already confirm the exploit, we are currently investigating and will publish further detail when it becomes available.

As in our previous diary entry on this, we recommend following US-CERT's recommendations:

  • Setting the kill bit for the following Quicktime CLSIDs for Internet Explorer:
  • Disabling the QuickTime plug-in for Mozilla browsers;
  • Disable QuickTime file associations;
  • Filter traffic on the common RTSP ports (554/tcp and 6970-6999/udp). This provides only partial mitigation.

Each of these does make the use of valid Quicktime content next to impossible, so please be aware of the impact this may have on your organization. 

Maarten Van Horenbeeck


158 Posts
Dec 2nd 2007

Sign Up for Free or Log In to start participating in the conversation!