Apple QuickTime MIDI Heap Buffer Overflow Remote Code Execution Vulnerability

2014-09-22T00:00:00
ID ZDI-14-326
Type zdi
Reporter s3tm3m
Modified 2014-11-09T00:00:00

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the processing of MIDI events. An arithmetic overflow in the handling of the sizes of certain events allows for an attacker to overflow a heap buffer. An attacker could use this to execute arbitrary code in the context of the QuickTime process.