Zero-Day Exploit Strikes QuickTime 7.5.5, iTunes 8.0
Thursday September 18, 2008 at 8:26 am CST
Posted by Wei Wang
A zero-day exploit against the latest QuickTime (Version 7.5.5) and iTunes (8.0) was released yesterday. The exploit author announced this as a remote heap overflow so we decided to take a look and analyze it.
After our research, we found that this is actually an off-by-one stack overflow. Some noteworthy points:
1. QuickTime has the /GS switch option enabled, hence a cookie is put into the stack.
2. Since this is an off-by-one stack overflow, the attacker can just overwrite one byte of the cookie. The Check_stack_cookie function is called when the function returns. If the Check_stack_cookie found out that the cookie is not matched, then the program exits. This results in the crash of QuickTime and iTunes.
The crash means it is unlikely that code execution would be feasible via this attack vector. Howerver, users of these apps should take the attack seriously and look at appropriate defenses.
September 18th, 2008 at 08:44
So, when will the update release? Do let us know.
September 19th, 2008 at 04:28
Does this affect older versions of iTunes/QuickTime?
And in terms of appropriate defenses, what would those be? Has McAfee released a DAT update to detect this?
September 19th, 2008 at 08:14
[...] New QuickTime 7.5.5 and iTunes 8 Exploits http://www.avertlabs.com/research/blog/index.php/2008/09/18/the-true-of-recent-0day-for-quicktime755…http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114999 [...]
September 19th, 2008 at 08:14
[...] New QuickTime 7.5.5 and iTunes 8 Exploits http://www.avertlabs.com/research/blog/index.php/2008/09/18/the-true-of-recent-0day-for-quicktime755…http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114999 [...]
September 23rd, 2008 at 15:35
[...] McAfee Avert Labs Blog [...]
September 25th, 2008 at 07:45
[...] New QuickTime 7.5.5 and iTunes 8 Exploits http://www.avertlabs.com/research/blog/index.php/2008/09/18/the-true-of-recent-0day-for-quicktime755…http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114999 [...]