Security Issue with Apple QuickTime (and iTunes) — Update

UPDATE 12/14/07

A fixed version of Apple QuickTime is now available, 7.3.1, that resolves the RTSP vulnerability described below. The update can be downloaded from: http://www.apple.com/quicktime/download/

The new version supports Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, and Windows XP SP2. QuickTime and iTune users should upgrade at their earliest convenience.

~~~~~~~~~~~~~~~~~~~~~~

Users of QuickTime are advised to only access QuickTime files from known, trusted sources until a fix is available from Apple. Apple QuickTime currently has a significant security issue within its Real Time Streaming Protocol (RTSP) capability. RTSP allows users to view multimedia content (e.g., videos, music, etc.) that is hosted on another server.

This issue may allow a remote attacker to execute software on an unsuspecting user’s computer. The user would most likely not detect the execution of the attacker’s software. It is reported that QuickTime versions 4.0 through 7.3 are known to be vulnerable on all supported Mac and Windows platforms. Since iTunes makes use of QuickTime components, it is also affected.

Users should also be aware that publicly available software to exploit this issue is currently available and has already been detected on some malicious web sites. Viewing QuickTime content from one of these sites could allow the attacker to remotely control your computer.

Unfortunately, since no software fix is yet available from Apple, the most secure options are also the most drastic. These options include completely uninstalling QuickTime or disabling the use of QuickTime plug-ins by any browser you have installed.

For now, the simplest recommendation is to access QuickTime files only from web sites that you know well and trust. As always, don’t click on unsolicited links in emails, instant messages, IRC channels and within web forums (including MySpace and Facebook).