Haxie-based fix for QuickTime buffer overflow vulnerability
Haxie-based fix for QuickTime buffer overflow vulnerability
Developer Landon Fuller has created a a runtime fix for the stack buffer overflow in the QuickTime Streaming component reported yesterday. This flaw could theoretically lead to malicious code execution on a target Mac, though we've yet to see such an occurrence actually demonstrated.
The third-party fix for this issue uses Unsanity's Application Enhancer, which you'll need to install before downloading and using this fix.
Fuller says:
'The overflow is in the QuickTime Streaming component's INet_ParseURLServer() function -- the fix patches that function and pre-validates the URL before passing it off to the real function implementation. If the URL is too long, the patch replaces the Evil URL with a benign, but invalid one, and then calls the original function.
"It's worth noting that disabling RTSP, as noted elsewhere, is (unfortunately) not necessarily sufficient -- there are other vulnerable entry-points to INet_ParseURLServer(), as it is used for generic URL parsing."
Feedback? Late-breakers@macfixit.com.
Previous coverage:
Resources