Zero Day Exploit For QuickTime Flaw

InformationWeek is reporting that an Italian security researcher has posted a exploit for a zero-day vulnerability in QuickTime 7.3.1 that impacts both OS X and Windows versions of the software. This exploit will allow an attacker to execute malicious code on the target system.

The “researcher”, Luigi Auriemma, describes the exploit as being based on a flaw in QuickTime’s parsing of HTTP error messages and has not provided Apple with advance notice before publishing the proof-of-concept code. Symantec has confirmed that the flaw can produce a Denial of Service, but has not confirmed the remote code execution claim.

As of this post, Apple has not posted a fix to this issue, but here are some steps you can take to protect yourself (via US-CERT):

  • Uninstall QuickTime (OK, kinda extreme)
  • Block the rtsp:// protocol (given how much we love streaming media, not likely either)
  • Disable the RTSP protocol handler (reasonable, depending on your risk tolerance) Mac OS X users can disable the RTSP protocol handler by editing the ~/Library/Preferences/ file with Property List Editor. Change the LSHandlerRoleAll value associated with the rtsp LSHanlderURLScheme to something other than This process can be simplified by using an application such as RCDefaultApp.
  • Disable QuickTime as the RTSP protocol handler on OS X (reasonable…you can pick RealPlayer as an alternative). To disable the RTSP registered protocol handler in OS X open ~/Library/Preferences/ and look through ahundred or more entries to find RTSP and change it to something else.
  • Do not access QuickTime files from untrusted sources (duh). Attackers may host malicious QuickTime files on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.