CUPERTINO, CA — It’s time for PC owners to snicker quietly to themselves yet again. The impenetrable Apple has yet another security vulnerability; this time in the company’s popular cross-platform QuickTime media software. According to Symantec in a DeepSight Threat Management System alert released on Sunday, the unpatched problem area can be manipulated by hackers intent on running their own code on victimized systems.
Although current attacks appear to specifically target Windows machines, experts are quick to remind computer users that the QuickTime issue exists on both operating systems, meaning that Mac OS users may well be next.
Known as the Apple QuickTime RTSP Response Header Stack-Based Buffer Overflow Vulnerability and first reported on November 23rd, the weakness is still unpatched by Apple in spite of the fact that exploit code appeared online last week.
Affected systems include Windows XP, Windows Vista, MacOS X 10.4, and the newly released MacOS X 10.5, known popularly as “Leopard.” Malicious hackers are able to access the vulnerability via a number of popular Web browsers, including Internet Explorer, Firefox, Opera, and Safari – resulting in two different kinds of attacks.
Victims may find that their computers have been redirected from adult site OurVoyeur.net to an infected site which downloads the loader.exe app, which can appear on the computer as metasploit.exe, asasa.exe, or syst.exe. Once there, the exploit downloads yet another file, which Symantec has identified as the binary file Hackertool.Rootkit, which can be employed to break deeper into the system. The OurVoyeur.net site is most likely not a willing participant in the scheme, according to Symantec.
Redirection is also involved in the second type of attack, which is under investigation by Symantec as it attempts to determine whether or not mal code is involved.
Recommendations for protection range from uninstalling QuickTime until Apple sees fit to stabilize it to filtering outgoing access to affected sites, including 2005-search.com, 1800-search.com, search-biz.org, OurVoyeur.net, 85.255.117.212, 85.225.117.213, 216.255.183.59, 69.50.190.135, 58.65.235.116, and 208.113.154.34. Symantec also suggests that IT managers black outgoing TCP access to port 554.
