Apple QuickTime RTSP URL Handler Vulnerability
Last Updated: 2007-01-03 08:33:07 UTC
by Scott Fendley (Version: 4)
The Month of the Apple bugs seems to have started. The first bug is in the handling of RTSP URL's within Quicktime, leading to arbitrary code execution on both Windows and Mac OS. You can find the advisory here:
http://projects.info-pull.com/moab/MOAB-01-01-2007.html. The MOAB blog states that you should disable the rtsp:// URL handler, however I have not determined how this is done.
Robert helped me find something I was missing. Guess I am just blind today or was just paying a little too much attention to the bowl games. To disable RTSP URLs in QuickTime, open the QuickTime control panel. Then, select the File Types tab. Expand the Streaming category and make sure the RTSP stream descriptor is unchecked. Here is a screen capture of this from my Windows based computer. I assume MacOS X computers have a similar control panel. I recommend that you make sure that this is unchecked.