Apple Quicktime Font Table Signed Length Remote Code Execution VulnerabilityZDI-11-340: December 7th, 2011
TippingPoint™ IPS Customer ProtectionTippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 11876. For further product information on the TippingPoint IPS:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within how the application parses font names embedded within an atom. When parsing the font name, the application will treat a length from the file as a signed value when copying font data into a buffer. Due to an unsigned promotion, this can be used to write outside the bounds of a buffer which can lead to code execution under the context of the application.
Vendor ResponseApple has issued an update to correct this vulnerability. More details can be found at:
2011-07-20 - Vulnerability reported to vendor
2011-12-07 - Coordinated public release of advisory
CreditThis vulnerability was discovered by: