14 DAY TRIAL // Soon after Apple updated QuickTime to version 7.5.5, a certain "Securfrog" published a code that can (allegedly) be used to crash any Web browser with the QuickTime plug-in. According to the person who found the flaw, a memory heap overflow can be created because of the way QuickTime handles long strings of data.
“The tag fails to handle long strings, which can lead to a heap overflow in Quicktime/Itunes media player,” milw0rm reveals. “This bug can be remote or local, Quicktime/Itunes parse any supplied file for a reconized [sic] header even if the header is not corresponding to the filetype, so you can put some xml in a mp4, mov,etc and open it with quicktime or you can do the same in some html page leading to a remote crash on Firefox, IE and any browser using the Quicktime plugin. Code execution may be possible.”
McAfee explains that, after doing a bit of research, they found that the alleged 0day exploit was actually an “off-by-one stack overflow,” meaning that the attacker could just overwrite one byte of the cookie. Since the Check_stack_cookie function is called when the function returns, the same site reveals, “if the Check_stack_cookie found out that the cookie is not matched, then the program exits”. According to their tests, this does result in “the crash of QuickTime/Itunes application”. All this is possible because “QuickTime has the /GS switch option enabled, hence a cookie is put into the stack,” McAfee reveals, adding that it is unlikely for code execution via this attack vector to be feasible. Nevertheless, users of QuickTime/iTunes are advised to take these allegations seriously “and look at appropriate defenses”.
Apple updated QuickTime to version 7.5.5 last week, adding changes that increase reliability, improve application compatibility, but also security, according to the company behind the Macintosh brand. In an e-mail, Securfrog stated that Apple had been alerted about this bug a full month ago. The company, however, didn't respond, according to InformationWeek.