Apple QuickTime PICT Memory Corruption Vulnerability
28 Dec. 2010
Summary
Remote exploitation of a memory corruption vulnerability in Apple QuickTime media player could allow attackers to execute arbitrary code in the context of the targeted user.
Vulnerable Systems:
* Apple QuickTime Player versions prior to 7.6.9
Immune Systems:
* Apple Inc. QuickTime Player version 7.6.9 or subsequent
The vulnerability specifically exists in the way specially crafted PICT image files are handled by the QuickTime PictureViewer.
When processing specially crafted PICT image files, Quicktime PictureViewer uses a set value from the file to control the length of a byte swap operation. The byte swap operation is used to convert big endian data to little endian data. QuickTime fails to validate the length value properly before using it. When a length value is larger than the actual buffer size supplied, it will corrupt heap memory beyond the allocated buffer, which could lead to an exploitable condition.
Successful exploitation could allow attackers to execute arbitrary code in the context of the current user. To exploit this vulnerability, an attacker must persuade a victim into using QuickTime to open a specially crafted PICT picture file. This could be accomplished by either direct link or referenced from a website under the attacker's control. An attacker could host a Web page containing a malformed PICT file. Upon visiting the malicious Web page exploitation would occur and execution of arbitrary code would be possible. Alternatively a PICT file could be attached within an e-mail file.
Workaround:
Disabling the QuickTime Plugin and altering the .pct, .pic and .pict filetype associations within the registry.
Disabling the plugin will prevent Web browsers from utilizing QuickTime Player to view associated media files.
Removing the filetype associations within the registry will prevent QuickTime Player and Picture Viewer from opening .pct, .pic and .pict files.
