Apple QuickTime Pict File Matrix Parsing Remote Code Execution Vulnerability

Summary

Apple QuickTime before Mac OS X v10.6.8 and Security Update 2011-004 does not properly handle Matrix structures in PICT files with out-of-bounds index values. The result write access to an out-of-bounds memory address can be successfully used to execute arbitrary code under the context of the application loading the image, without user interaction.

Technical details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within how the application parses a Matrix structure within a particular opcode embedded within a .pict file. When using this Matrix structure to transform image data, the application will miscalculate an index to represent a row of an object. This will cause the application to write outside the bounds of the array of objects which can lead to code execution under the context of the application.

Patch or remediation

Apple released Mac OS X v10.6.8 and Security Update 2011-004.

References

The following references are relevant to this advisory:

• CVE-2010-3790
• ZDI-11-231: Apple QuickTime Pict File Matrix Parsing Remote Code Execution Vulnerability
• About the security content of Mac OS X v10.6.8 and Security Update 2011-004