The news came out shortly after a bug related to QuickTime’s handling of the RTSP (Real Time Streaming Protocol) protocol was discovered. Shortly after, the proof-of-concept exploit that exploited this vulnerability appeared in Windows XP SP2 and Windows Vista.
But even if analysts had confirmed that QuickTime version 7.2 for Mac and later was also vulnerable, it took several days for other researchers to notice a reliable exploit.
Last Thursday Symantec informed its DeepSight customers that the Metasploit exploit module had been released. “This particular exploit can cause remote code execution through the QuickTime RTSP vulnerability on Microsoft Windows and Apple systems,” Symantec stated in its advisory. “This is the first functional exploit for Apple systems that we have observed.”
Metasploit, an exploit testing framework created by renowned security researcher and hacker HD Moore, has been previously considered by Symantec. “Once we see something in Metasploit, we know that it is quite likely that it will be used in attacks,” says Alfred Huger, vice president of engineering in Symantec’s security response group.
Based on the proof of concept, the Metasploit module works on Intel (and PowerPC) architecture-based Macs with both Mac OS X 10.4 (Tiger) and Mac OS X 10.5 (Leopard). It also works on PCs on Windows XP SP2.
Symantec suggests that users disable QuickTime as the default application for RTSP protocol management, and filter outbound traffic on the common RTSP ports, which include TCP port 554 and UDP ports 6970-6999.
Apple has yet to release a fix for the QuickTime RTSP bug.