A remotely exploitable problem in QuickTime's SMIL file processing integer handling could lead to overflow conditions.
Apple has released a patch and details about the issue. It centered on the Synchronized Multimedia Integration Language (SMIL), according to iDefense Labs.
Unless QuickTime users update to version 7.2, now available form Apple, iDefense identified how a vulnerable version could be co-opted by an attacker:
The vulnerability specifically exists in QuickTime players handling of the title and author fields in an SMIL file. When parsing an SMIL file, arithmetic calculations can cause insufficient memory to be allocated.
When copying in user-supplied data from the SMIL file, a heap-based buffer overflow occurs. This results in a potentially exploitable condition.
A QuickTime user could be victimized if a malicious party can redirect them to a specially crafted SMIL file to exploit the vulnerability. iDefense believes all previous versions of QuickTime before 7.2 probably have this flaw.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
iEntry 10th Anniversary
RSS
Archive
