An easy-to-exploit security vulnerability in Apple Computer"s QuickTime media player could put millions of Macintosh and Windows users at risk of code execution attacks. The QuickTime flaw kicked off the Month of Apple Bugs project, which promises to expose unpatched Mac OS X and Apple application vulnerabilities on a daily basis throughout the month of January.
According to an advisory released Jan. 1, the flaw exists in the way QuickTime handles a specially rigged "rtsp://" URL. "By supplying a specially crafted string, [an] attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition," said LMH, one of the mysterious hackers behind the controversial project. He described exploitation of the issue as "trivial" and warned that stack NX can also be rendered useless.