eEye Spots Unpatched Flaw in QuickTime

The security research outfit flags a "high-risk" code execution vulnerability in Apple's QuickTime media player.

Just weeks after Apple Inc. released a fix for three gaping security holes in its QuickTime media player, a private security research outfit has flagged another "high risk" flaw that remains unpatched.

Researchers at eEye Digital Security warned in a brief advisory that default installations of the QuickTime 7.0.3, the newest version, are vulnerable.

A spokesman for eEye told Ziff Davis Internet News the bug was reported to Apple on October 31.

/zimages/3/28571.gifApple plugs QuickTime code execution holes. Click here to read more.

Although the bug could be exploited remotely to launch executable code, a successful attack requires some user action.

"It requires that a maliciously created media file is played," the eEye spokesman explained, noting that the flaw is unlikely to result in an Internet worm.

He said eEye supplied Apple with its preliminary research, which included confirmation of the flaw in QuickTime for Windows. eEye is doing additional research to determine if the Mac OS is affected.

A spokesman for Apple declined comment on the eEye advisory.

Word of the new vulnerability comes just days after an advisory from Apple detailed multiple QuickTime security flaws that could lead to remote code execution attacks.

Those bugs, fixed in QuickTime 7.0.3, were rated "highly critical." In all, the media player upgrade fixed four vulnerabilities, the most dangerous being an integer overflow error in the handling of a "Pascal" style string when loading a ".mov" video file.

This can result in memory overwrite due to a large memory copy, potentially allowing arbitrary code execution via a specially crafted video file.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.