Added: 07/16/2012
CVE: CVE-2012-0667
BID: 53583
OSVDB: 81938
QuickTime is a media player for Windows and Mac OS platforms.
Apple QuickTime 7.7.1 and earlier versions are vulnerable to remote code execution if the user is persuaded to open a specially crafted QTVR
movie file. The specific flaw exists within the QuickTimeVR.qtx
component which fails to properly check the stringLength
parameter when processing a QTVRStringAtom
, resulting in an integer signedness buffer overflow. Successful exploitation could result in a remote attacker running arbitrary code in the context of the affected user.
Upgrade to QuickTime 7.7.2 or higher.
<http://support.apple.com/kb/HT5261>
<http://www.zerodayinitiative.com/advisories/ZDI-12-077/>
This exploit was tested against Apple QuickTime 7.7.1 on Windows XP SP3 English (DEP OptIn).
The user must open the HTML exploit file in Internet Explorer 8.
Windows