Apple QuickTime rtsp URL handler buffer overflow

A flaw in real-time streaming of QuickTime videos could allow remote attackers to compromise your Windows or Mac system.

by Robert Vamosi

January 2, 2007 2:32 PM PST

There's a buffer overflow affecting both the Windows and Mac version of Apple QuickTime 7.1.3 real-time streaming protocol (rtsp). The flaw allows remote attackers to execute arbitrary code which could allow remote access and the arbitrary execution of malicious code on compromised machines. If a user clicks a very long and specially crafted QuickTime video URL, an attacker could load malicious code onto Microsoft Windows or Apple Mac OS X machines.

At this time, there is no patch available from Apple. Users should avoid clicking URLs that begin with "rstp://." One workaround within QuickTime is to disable the rtsp:// URL handler. To do so, Mac users should open QuickTime, go to Preferences, click the Advanced tab, and select Mime Settings; once there, uncheck the box next to Streaming - Streaming Movies. For Windows users, click Edit, then Preferences, and then QuickTime Preferences. Select File Types from the pull-down menu or tab options. On the File Types page click Streaming - Streaming Movies to display additional options and uncheck the box next to RSTP stream descriptor if necessary.

Additional Resources:

NIST: CVE-2007-0015
MOAB: MOAB-01-01-2007
Milworm.com: 3064

CNET Update

Questions persist about NSA surveillance

Organizations request more transparency in the National Security Agency's data collection methods, Netflix plans to launch DreamWorks TV shows, and Instagram is rumored to be adding video.

Play Video