14 DAY TRIAL // A highly critical remote code execution vulnerability has been discovered in the latest version of QuickTime for Windows. Secunia reports that the flaw can be exploited by tricking users into viewing a maliciously crafted Web page.
According to an advisory published by the Danish vulnerability intelligence vendor, a flaw in QuickTime's error logging process for stream debugging can be exploited to trigger a buffer overflow. This type of condition occurs when the program writes outside the boundary of its allocated memory region.
"The vulnerability is caused due to a boundary error in QuickTimeStreaming.qtx when constructing a string to write to a debug log file. This can be exploited to cause a stack-based buffer overflow," Secunia says. Buffer overflows pose a serious security risk, because in most cases they allow inserting arbitrary code into memory for later execution.
In order to exploit this QuickTime vulnerability an attacker must trick users into visiting a Web page that references a specially crafted SMIL file containing an abnormally long URL. SMIL is an XML-based markup language used to define various aspects of multimedia presentations, such as layout, timeline or elements.
This kind of attacks performed over the Web are known as drive-by downloads, because the transfer of malicious data happens transparently to the user. Malware distributors regularly infect legitimate websites with exploit toolkits, that target similar remote code execution vulnerabilities in outdated versions of popular software like Adobe Reader, Flash Player, Java Runtime, Firefox or Internet Explorer.
QuickTime is also a valuable target for cyber criminals, because it is installed on a very large number of computers. Almost all people who own an iPod, iPhone or iPad, use iTunes and iTunes requires QuickTime for audio and video playback.
According to Secunia, the vulnerability was confirmed in QuickTime 7.6.6 (1671) for Windows, but older versions might also be affected. Apple has yet to comment on it.
A Polish security researcher named Krystian Kloskowski is credited with the bug's discovery. Back in May, he disclosed a similar remote code execution vulnerability affecting the latest version of Safari for Windows at the time.
You can follow the editor on Twitter @lconstantin