"Month of Apple Bugs" Exposes 2 Bugs in 2 Days

Apple Computer’s perception that Apple systems are free of the security bugs on Monday dispelled when details of security vulnerability published on the Web site of ‘Month of the Apple Bugs’ project, which aims to disclose a new vulnerability in Apple’s software each day during the month of January.

The ‘Month of the Apple Bugs’ or MOAB project started Tuesday by exposing a moderate vulnerability in Apple's QuickTime application, a program that enables users to capture, watch and share videos with friends.

According to the MOAB project’s inaugural posting, Apple's QuickTime software has a highly serious bug that could leave Windows and Mac users open to attacks by malicious Web sites.

The advisory on the MOAB page states that the vulnerability exists in QuickTime’s "rtsp:// URL" handler. The flaw lies in the way QuickTime handles addresses beginning with the Real Time Streaming Protocol, or RTSP. By convincing an unsuspecting user to click on a specially crafted hyperlink of HTML code, JavaScript, or a QTL file, an attacker could install unwanted software on the victim's computer remotely.

The flaw affects those Windows or Mac OS X that are equipped with QuickTime version 7.1.3., the latest version of the media player software released in September. The Player Version 7.1.3 and earlier versions are also likely to be vulnerable.

Launched by an independent security researcher, Kevin Finisterre, and a hacker known as LMH, who preferred anonymity, the MOAB project is meant to raise awareness of security vulnerabilities in Apple's products, and is a follow-on to November's "Month of Kernel Bugs" campaign and the “Month of Browser Bugs”, which was kicked off in July.

On QuickTime vulnerability, LMH said, "The risk is having your system compromised by a remote attacker, who can perform any operation under privileges of your user account," adding that "It can be triggered via JavaScript, Flash, common links, QTL files and any other method that starts QuickTime."

QuickTime users can take some precautions to keep themselves protected against the vulnerability. They can disable support for RTSP, or can go through the instructions on how to do this for both Windows PCs and Macs, provided by the SANS Internet Storm Center, which tracks Internet threats.

On Tuesday, LMH and Finisterre uncovered the second bug as part of their project, though this time the flaw is not in Apple code but in the UDP URL handler in VideoLANs open source Media Player, available for Mac OS X and Windows.

The flaw works with version 0.8.6, released Dec. 10 and like QuickTime flaw affects both OS X and Windows. By supplying a specially crafted string as a flaw vector, a remote hacker could cause an arbitrary code execution, disabling the udp:// URL handler or uninstalling VLC, the security researchers wrote.

Finisterre and LMH intend to uncover bugs in the Mac OS X kernel as well as in software such as Safari, iTunes, iPhoto, and QuickTime during their project.

Some of the bugs are likely to affect versions of Apple's software designed to run on Microsoft Windows, LMH said.