A new vulnerability appears to have been discovered with the RTSP handling within QuickTime, despite the fixes provided with QuickTime version 7.3.1.

According to Luigi Auriemma, the vulnerability is a buffer overflow that can be exploited when the QuickTime media player is retrieving information about the status of the current rtsp connection. At this stage it appears that the vulnerability as tested in the proof of concept only affects the Windows version of QuickTime, but it is possible that the OS X version is vulnerable as well.

Description:

Luigi Auriemma has disclosed the discovery of a new vulnerability affecting QuickTime's handling of RTSP streams. This issue may be related to a previous RTSP vulnerability(updated with QuickTime 7.3.1, released in mid-December), but at this stage it appears to only affect Windows QuickTime versions.

Proof of concept sample code is readily available from the discoverer.

Mitigation:

For all users, it is recommended that they update to QuickTime 7.3.1 (if they haven't already). Early reports suggest that OS X users (at least 10.5.1) are not vulnerable to this particular issue, but it is recommended that all users apply caution when interacting with rtsp:// streams.

Updates:

Not yet Available

Source:

http://aluigi.org

Exploits:

http://aluigi.org/poc/quicktimebof.txt

Not yet Identified