JD on EP: QuickTime vulnerability

« Sasser effects | Main | URL-based arguments »

May 3, 2004

QuickTime vulnerability

QuickTime vulnerability: I don't have the technical details to evaluate this myself, but the worst-case argument sounds serious, so here are the links. eEye Security has found a buffer-overflow exploit in QuickTime, and Apple has released a 19 megabyte updater. From what I've seen in the past, buffer-overflow exploits typically do result in a worst-case crash, when the computer writes down more data than it's expected. But there remains the theoretical possibility of triggering that extra data to execute somehow. Most of the buffer-overflow exploits we read about are read-buffer-overflows, but in this case eEye seems to sound like they've also found a triggering exploit. I've just done a bunch of Windows updates and Norton updates today to make sure I'm Sasser-proof, but if you run a lot of QuickTime from strange sites then it may be good to make sure you're running at least QT6.5.1. (Although, at 19MB, it's probably bigger than all the major versions of the Macromedia Flash Player ever made.... ;-)

Posted by John Dowdell at May 3, 2004 1:19 PM

JD on EP

This is a historical site. New entries are at blogs.adobe.com/jd. Comments are closed on these old entries.

May 3, 2004

QuickTime vulnerability