On 24-Nov-07, the U.S. Computer Emergency Readiness Team (US-CERT) issued a critical alert [1] for a new security vulnerability in QuickTime [2] on Macs and PCs. This QuickTime flaw is especially serious because active exploit code exists on the Internet, because it can allow an attacker to take over your computer, and because there is as yet no patch to fix the flaw. In the security world we call this a "zero-day" vulnerability, and it's a serious situation since it's so hard for users to protect themselves without a patch.
Originally, the exploit code was designed for Windows, not Mac OS X, but there is now exploit code for both Tiger and Leopard. Until Apple issues a patch, we must all be extremely careful using QuickTime, which is inconvenient at best.
This particular flaw takes advantage of a vulnerability in how QuickTime uses the Real Time Streaming Protocol [3] (RTSP) to stream audio and video over the Internet. If an attacker gets you to connect to a malicious RTSP stream, they can potentially use that connection to insert and run bad software on your system. How might you be enticed to connect to a malicious RTSP stream? By visiting a malicious Web page, clicking a link in an RSS feed, or clicking a link in a maliciously crafted email message.
Vulnerabilities in QuickTime are always hard to protect against without patching because of how tightly QuickTime is integrated into iTunes and Mac OS X. CERT advises Windows users to disable QuickTime entirely, but that's unrealistic for us Mac types.
The best defense for now is simple caution and awareness. Avoiding risky Web sites and not clicking URLs in strange email messages reduces your risk, but there's still a remote chance you could make an innocent mistake and end up at a malicious Web site.
Since this is a network-based attack, another security option is to block connections using a firewall. Ideally we could do this using the application firewall in Leopard, but that only lets us block inbound connections, and this attack uses an outbound connection. The next best option is to configure the ipfw firewall built into all versions of Mac OS X to block outbound access for TCP port 554 and UDP ports 6970-6999. You can do this manually or using a tool like WaterRoof [4]. (For more on the firewall in Mac OS X 10.5 see my article, "Leopard Firewall Takes One Step Forward, Three Steps Back [5]," 2007-11-05, and Chris Pepper's "What's a Firewall, and Why Should You Care?" 1999-02-22.) QuickTime will still work fine for your local media files, and the firewall stops you from accessing only streaming media.
Unfortunately, it's still possible for an attacker to trick QuickTime into using a non-standard port, so this is only a partial defense. Another option is to use a third-party application firewall like Objective Development's Little Snitch 2 [6]. Just configure it to block connections from QuickTime, which is one of the default applications already protected by Little Snitch. There's a free 30-day trial that you can use right away to protect your Macs (for 3 hours at a time), and it's well worth the $24.95 price for non-stop protection.
This situation highlights why it's so important for Apple to finish some of the security improvements they started implementing in Leopard (see "How Leopard Will Improve Your Security [7]," 2007-10-22). Both library randomization and sandboxing can help prevent exploits of vulnerabilities like this. If Apple were to add outbound blocking to the application firewall, it would let us block these kinds of attacks without having to know anything about ports and protocols. Apple is clearly on the right path, and I look forward to future updates that will keep me protected even when a new, unpatched vulnerability is in the wild.
Until then, you need to keep your eyes open for a patch (which I expect we'll see very soon), and hone your safe computing habits.
[1]: http://www.kb.cert.org/vuls/id/659761
[2]: http://www.apple.com/quicktime/
[3]: http://en.wikipedia.org/wiki/Rtsp
[4]: http://www.hanynet.com/waterroof/
[5]: http://db.tidbits.com/article/9294
[6]: http://www.obdev.at/products/littlesnitch/
[7]: http://db.tidbits.com/article/9251