Tuesday, August 3, 2010

QuickTime Player Streaming Debug Error Logging Buffer Overflow


Krystian Kloskowski has discovered a vulnerability in QuickTime Player, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in QuickTimeStreaming.qtx when constructing a string to write to a debug log file. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted web page that references a SMIL file containing an overly long URL.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 7.6.6 (1671) for Windows. Other versions may also be affected.


Reports indicate that removing the QuickTimeStreaming.qtx file is an effective mitigation, however it will kill your ability to watch streaming content in QT.

No comments:

Post a Comment