Apple's QuickTime is a player for files and streaming media in a variety of different formats. A flaw in QuickTime's handling of files in the Graphics Interchange Format (GIF) could allow a remote attacker to execute arbitrary code on a vulnerable system.
A heap overflow exists in the way QuickTime handles the Netscape Navigator Application Extension Block of a GIF image. A specially crafted GIF image can allow attackers to execute arbitrary code of their choosing with the privileges of the user running QuickTime.
Note that this issue affects QuickTime installations on both Apple Mac OS X and Microsoft Windows operating systems.
An attacker with the ability to supply a maliciously crafted GIF file (.gif) could execute arbitrary code on a vulnerable system. The attacker-supplied code would be executed with the privileges of the QuickTime user opening the malicious file. The crafted GIF image may be supplied on a webpage or in email, or by some other means designed to encourage the victim to invoke QuickTime on the exploit image.
Install an update
Apple credits Karl Lynn of eEye Digital Security for reporting this issue. However, the eEye advisory on this issue credits Fang Xing.
This document was written by Chad R Dougherty based on information supplied by Apple and eEye Digital Security.
|Date First Published:||2006-01-11|
|Date Last Updated:||2006-01-31 15:14 UTC|