New QuickTime exploit triggers the same old stack overflow

It would appear a January fix that supposedly protects against malformed URLs to the RTSC protocol of Apple's QuickTime wasn't a complete fix after all.

The US-CERT office of the Dept. of Homeland Security confirmed this morning that an intentionally malformed header sent to the Real Time Streaming Protocol handler of Apple's QuickTime for Windows, and presumably for Mac OS as well, will cause a familiar stack buffer overflow problem that could be exploitable from the outside.

A similar problem was addressed by Apple last January, when a patch was issued to guard against intentionally malformed URLs sent through RTSP protocol to QuickTime. But now the problem appears to involve overflowing the message header - not the URL to which the message is directed - with garbage characters at the end.

Publicly available exploit code revealed by US-CERT appears to indicate that when the tail end of an otherwise properly parsed RTSP message is padded with garbage characters rather than with an empty line (as indicated by the IETF's description of RTSP), a stack overflow condition is triggered.

It's a different attack vector, but the same one triggered by the URL overflow discovered last January by security researcher Lance M. Havok. That month, Havok simultaneously released bulletins on 31 Mac OS and QuickTime-related exploits, in what he called "The Month of Apple Bugs."

US-CERT has not mentioned that it's been made aware of any public instances of a version of this exploit in the wild.