Fresh vulnerabilities plague QuickTime, Gmail

TechWorld.com - A cross-site scripting vulnerability revealed in Google's Gmail was swiftly patched ove the holiday weekend, while the opening salvo in January's Month of Apple Bugs proves to be significant for both Mac and Windows users.

Apple's QuickTime software has a highly serious bug that could leave Windows and Mac users open to attacks by malicious Web sites, according to a project aimed at disclosing Apple bugs throughout January.

The QuickTime flaw launches the Month of Apple Bugs (MOAB), which follows on from efforts such as the Month of Kernel Bugs and the Month of Browser Bugs. The bug was discovered by LMH, a MOAB organizer who hasn't disclosed his name.

The flaw affects any Windows or Mac OS X bug with QuickTime Player Version 7.1.3 installed; previous versions are also probably vulnerable. The problem lies in the way QuickTime handles addresses beginning with "rtsp://", and can be exploited to create a stack-based buffer overflow using HTML, JavaScript or a QTL file, LMH wrote.

The attack can execute malicious code and take over a system. "Exploitation of this issue is trivial," LMH wrote. He supplied a working exploit, which makes the problem all the more dangerous.

The problem hasn't been patched yet. Possible workarounds include uninstalling QuickTime and disabling the rtsp:// handler.

Secunia and FrSIRT both agreed the bug poses an immediate threat.

Meanwhile, Google Inc. fixed a cross-site scription vulnerability over the weekend that would have allowed Web sites to harvest information from Gmail contact lists, a problem that could have let spammers collect reams of new e-mail addresses.

For an attack to work, a user would have to log into a Gmail account and then visit a Web site that incorporates JavaScript code designed to take contact information from Gmail.

Proof-of-concept code was publicly posted. The JavaScript code used a capability that Google used to integrate addressing with other services including its video download site and online office productivity suite.

Google appears to have fixed the problem within 30 hours of being notified, wrote Haochi Chen, a blogger who tracks the company on his blog. A Google spokeswoman in London confirmed on Tuesday morning the problem was fixed.

IDG News Services' Jeremy Kirk contributed to this report.