COMMAND

	Buffer Overflow in Windows QuickTime Player

SYSTEMS AFFECTED

	iDEFENSE has confirmed that QuickTime Player versions 5.x  and  6.0  for
	the Microsoft Windows platform are vulnerable. QuickTime  for  MacOS  is
	not vulnerable.

PROBLEM

	In iDEFENSE Security Advisory 03.31.03:
	 
	 http://www.idefense.com/advisory/03.31.03.txt
	
	Texonet  (http://www.texonet.com)  is  credited  with  discovering  this
	vulnerability.
	
	--snip--
	
	An exploitable buffer overflow condition has been  discovered  in  Apple
	Computer Inc.'s QuickTime Player, allowing for the remote  execution  of
	arbitrary code.  The  vulnerability  lies  in  the  processing  of  long
	QuickTime  URL's  (quicktime://  or  through  the   -u   switch).   When
	processing  a  QuickTime  URL,  the  application  is  launched  in   the
	following  manner  as  can  be  seen  from  the  Windows  registry   key
	HKEY_CLASSES_ROOT/quicktime:
	
	%PATH TO QUICKTIME%\QuickTimePlayer.exe -u"%1"
	
	A URL containing 400 characters will overrun the allocated space on  the
	stack  overwriting  the  saved  instruction  pointer  (EIP).  This  will
	thereby allow an attacker to redirect the flow of  control.  An  example
	URL that will cause QuickTime player to crash is:
	
	quicktime://127.0.0.1/AAAA...
	
	Where the character 'A' is repeated 400 times.
	
	--snap--

SOLUTION

	Apple has released QuickTime 6.1 which addresses this vulnerability.  It
	is available from :
	 
	 http://www.apple.com/quicktime/download/
	
	 WORKAROUND
	 ==========
	
	Removing the QuickTime handler from the  web  browser  or  removing  the
	registry   key   HKEY_CLASSES_ROOT/quicktime   can   prevent   automatic
	exploitation through HTML pages.