On November 25, we blogged about a proof of concept exploit code for Apple's QuickTime RTSP Response Header Remote Stack Based Buffer Overflow Vulnerability being disclosed to the public. Now a week has passed and Symantec's DeepSight honeynet has spotted at least one active exploitation in the wild.

Originally, the flaw was disclosed on November 23, 2007 by Polish security researcher Krystian Kloskowski and since then we have seen number of exploits targeting the vulnerability being released to the public. But now the exploit is active and in the wild, meaning web surfers are in danger of being attacked. Our current analysis is also leading us to believe that there may be multiple attacks in existence. Further investigation is currently under way to confirm this.

Let me briefly explain what we have seen. The attack we have confirmed today begins with the popular IFRAME. An IFRAME code that causes the browser to make an additional request to another URL, is embedded in a porn site. Without knowledge, users visiting this site are redirected to the malicious site serving the exploit. Currently, the malware that is downloaded by the exploit is detected by Symantec as Downloader. We are still studying the attack in depth, so look out for more information at a later time.

Since a patch to correct the issue has yet to be released, we advise users to be cautious when browsing the web. For those of you seeking extra protection, we also recommend the following options:

- Run web browsers at the highest security settings possible

- Disable Apple QuickTime as a registered RTSP protocol handler.

- Filter outgoing activity over common RTSP ports, including TCP port 554 and UDP ports 6970-6999.