Heap-based buffer overflow in Apple QuickTime

#VU65651 Heap-based buffer overflow in Apple QuickTime

Published: 2022-07-21

Vulnerability identifier: #VU65651

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2009-0001

CWE-ID: CWE-122

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apple QuickTime
Client/Desktop applications / Multimedia software

Vendor: Apple Inc.

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Heap-based buffer overflow in Apple QuickTime. A remote attacker can use a crafted RTSP URL to trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Apple QuickTime: 7.0 - 7.5.5

External links
http://lists.apple.com/archives/security-announce/2009/Jan/msg00000.html
http://secunia.com/advisories/33632
http://support.apple.com/kb/HT3403
http://www.securityfocus.com/bid/33385
http://www.us-cert.gov/cas/techalerts/TA09-022A.html
http://www.vupen.com/english/advisories/2009/0212
http://exchange.xforce.ibmcloud.com/vulnerabilities/48154
http://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6135

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM PureData System for Operational Analytics