QuickTime 7.5.5 Bug Could be Vector for Attack

A bug in QuickTime 7.5.5 has been discovered which could be exploited for a malicious attack, but right now the risk is characterized as low. The QuickTime tag fails to handle long strings correctly.

The bug was announced by Intego on Thursday, but was first discovered by Symantec researcher Aaron Adams.

Intego described the exploit as follows:

The iquicktime type=i tag fails to handle long strings, which can lead to a heap overflow in QuickTime Player, iTunes, or any other program that attempts to display media using a QuickTime plug-in. This can be a browser, such as Appleis Safari, Microsoft Internet Explorer or Mozilla Firefox, or, on Mac OS X, could be any program that displays graphics or movies inline, such as Mail, or even the Finder if a user tries to view a file with Quick Look. For now, files which contain offending strings will crash programs attempting to display them, but malicious code could be added to such files, and may be executed with no user interaction, other than an attempt to view a file.

This bug can be remote or local, as QuickTime parses any supplied file for a recognized header even if the header does not correspond to the file type; for example, a malicious user could put XML content in an MP4 or MOV file, or could add a QuickTime media file to a web page which could then cause a browser to crash while executing malicious code.

For now, the risk has been assessed as low. Security expert Nicholas Raba with Securemac.com told TMO that researchers are looking into the exploit and have not yet figured how to include executable code. As a result, for now, the worst that can happen is a QuickTime crash.