iTunes & QuickTime security alert

Author: Gareth Halfacree
Published: 19th September 2008

Both iTunes and QuickTime are vulnerable to a buffer overflow attack when reading maliciously-crafted video files.

Yesterday saw the disclosure – and subsequent exploitation, predictably – of a major security flaw in the latest versions of Apple's QuickTime and iTunes packages.

According to CNet, the flaw – entered into NIST's National Vulnerability Database with ID CVE-2008-4116 – affects QuickTime 7.5.5 and iTunes 8.0.

The flaw centres around a heap-based buffer overflow which can be exploited via a long-type attribute in a QuickTime tag, either via a maliciously crafted MP4 or MOV video file or embedded within a webpage if the QuickTime browser plugin is installed. As with most buffer overflow vulnerabilities, the flaw can result in mild annoyance – a crash when the program attempts to access memory which is out of bounds – or remote code execution, which is far more serious.

The discovery of this flaw comes shortly after an update was released for issues using iTunes 8 on Windows Vista, and just days after the latest Mac OS X update was made available. Sadly, there's no patch available for this flaw as yet.

If you're hoping for a workaround, the only way to be sure of safety is to avoid using iTunes and QuickTime to play back video and audio files, and to uninstall the QuickTime browser helper component.

Has anyone noticed inexplicable crashes in iTunes over the last few days, or is this likely to be a storm in a teacup and quickly patched by Apple? Share your thoughts over in the forums.