FortiGuard Center

Prevalence Report: Vulnerability in Apple QuickTime Player RTSP Actively Exploited

Fortinet Global Security Research Team Provides Protection Against a Vulnerability in Apple QuickTime Player RTSP Handling

Fortinet Global Security Research Team has studied an array of web sites containing IFRAME tags, directing traffic to a server hosting the RTSP vulnerability. The activity on the server hosting the vulnerability has escalated throughout December 2007 to date. The pages also include a second IFRAME tag as a blended threat scheme, which directs traffic to another site that is actively using the Win32 ANI vulnerability (CVE-2007-0038).


Figure 1: Activity for the domain {removed}search.com actively hosting the RTSP exploit, showing a spike in December 2007


The remote code execution vulnerability exists in the Apple QuickTime Player when handling RTSP replies. An attacker can execute arbitrary code on the affected system by exploiting this vulnerability through a stack overflow. The overflow occurs when the player handles the “Content-Type” header on RTSP reply.

Public exploit code has been available since November 27, 2007. Fortinet has been protecting customers against both of these threats since and before this date with the signatures mentioned below, as part of a recommended solution:
  • Fortinet Global Security Research Team released a signature “MPlayer.RTSP.Line.Response.Buffer.Overflow.A” last September, 2006 which covers this specific vulnerability.
  • Fortinet Global Security Research Team released a signature “RTSP.Content-Type.Header.Buffer.Overflow” on November 27th, 2007 which further covers this specific vulnerability.
  • Fortinet Global Security Research Team released a signature on June 5th, 2007 that detects the mentioned ANI exploit as “W32/Malformed_ANI.D” which covers this second vulnerability.
  • Users of Apple QuickTime Player 7.x should disable RTSP support and apply a patch immediately when it is available.
  • Apple has put out a new QuickTime player to address this. This is available at http://www.apple.com/quicktime/download/

Affected Software:
  • Apple QuickTime Player 7.2 / 7.3

References:
  • FortiGuard Vulnerability Encyclopedia: http://www.fortiguardcenter.com/ids/AID12339
  • QuickTime RTSP CVE ID: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-6166

Updated December 14, 2007: Included Apple's patch.

Disclaimer:

Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

About Fortinet ( www.fortinet.com ):

Fortinet is the pioneer and leading provider of ASIC-accelerated multi-threat security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and antispam--providing customers a way to protect multiple threats as well as blended threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified eight times over by the ICSA (firewall, antivirus, IPSec, SSL, IDS, client antivirus detection, cleaning and antispyware). Fortinet is privately held and based in Sunnyvale, California.