“Month of Bugs” Project Pins Down QuickTime and VLC Vulnerabilities

Posted by:
Date: Wednesday, January 3rd, 2007, 08:08
Category: News

According to an article on Macworld News, two Mac users (“LMH” and Kevin Finisterre) have begun a self-described initiative called the Month of Apple Bugs to “improve Mac OS X” by locating security flaws in Apple’s operating system as well as third party applications.
The duo published their first finds recently. Known as “MOAB-01-01-2007″, the first document describes a vulnerability in QuickTime’s Real Time Streaming Protocol features:
“By supplying a specially crafted string (rtsp:// [random] + semicolon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition,” said the programmers.
The reported bug presently affects QuickTime 7.1.3, which is the current version for both the Mac OS X and Windows operating systems. The team suggests that the user disable QuickTime’s rtsp:// URL handler or uninstall QuickTime in the short term in their write up of the bug.
The second published bug focuses on VLC, the popular open source media player program.
The bug, which is present in version 0.8.6 of the program for Mac OS X (both the PowerPC and Intel version are affected by this bug, according to the report), allows an M3U file to be created which can be either opened locally or via a web server, compromising the security of the machine.
The only workaround to date is to disable VLC’s udp:// URL handler uninstall VLC or update to a new version of the program once it becomes available.
Where identification is concerned, “LMH” is the handle for an as-yet unidentified person helping with the project while Kevin Finisterre is the founder of Digital Munition and has been credited with the creation of the InqTana worm, a proof of concept that exploited a Bluetooth vulnerability present on some Macs and raised a relevant security issue in February of 2006.
If you have any comments or feedback about this, let us know.


According to an article on Macworld News, two Mac users (“LMH” and Kevin Finisterre) have begun a self-described initiative called the Month of Apple Bugs to “improve Mac OS X” by locating security flaws in Apple’s operating system as well as third party applications.
The duo published their first finds recently. Known as “MOAB-01-01-2007″, the first document describes a vulnerability in QuickTime’s Real Time Streaming Protocol features:
“By supplying a specially crafted string (rtsp:// [random] + semicolon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition,” said the programmers.
The reported bug presently affects QuickTime 7.1.3, which is the current version for both the Mac OS X and Windows operating systems. The team suggests that the user disable QuickTime’s rtsp:// URL handler or uninstall QuickTime in the short term in their write up of the bug.
The second published bug focuses on VLC, the popular open source media player program.
The bug, which is present in version 0.8.6 of the program for Mac OS X (both the PowerPC and Intel version are affected by this bug, according to the report), allows an M3U file to be created which can be either opened locally or via a web server, compromising the security of the machine.
The only workaround to date is to disable VLC’s udp:// URL handler uninstall VLC or update to a new version of the program once it becomes available.
Where identification is concerned, “LMH” is the handle for an as-yet unidentified person helping with the project while Kevin Finisterre is the founder of Digital Munition and has been credited with the creation of the InqTana worm, a proof of concept that exploited a Bluetooth vulnerability present on some Macs and raised a relevant security issue in February of 2006.
If you have any comments or feedback about this, let us know.

Recent Posts