Critical Vulnerability in Apple Quicktime’s Indeo Codec

September 15th, 2008

Paul Byrne of NGSSoftware has discovered a critical vulnerability in Apple Quicktime’s implementation of the Indeo Codec (CVE-ID: CVE-2008-3615) which may allow an attacker to execute arbitrary code on a user’s system via playing a malformed movie file in Quicktime containing video encoded in the Indeo Codec. This is also possible to be executed through the Quicktime Internet Explorer Active X control. It is in the Quicktime library for Indeo in the file “ir50_32.qtx” which was previously distributed through Apple’s website but written by a third party. The codec has now been removed and is no longer supported in the latest version of Quicktime.

This issue has been resolved in the newest version of Apple Quicktime 7.5.5, to see Apple’s release go to:

  http://support.apple.com/kb/HT3027 

NGSSoftware are going to withhold details of this flaw for three months. Full details will be published on the 14th December 2008. This three month window will allow other vendors the time needed to create patches in their versions of Indeo Codec before the details are released to the general public. This reflects NGSSoftware’s approach to responsible disclosure. 

NGSSoftware Insight Security Research
Email: nisr@ngssoftware.com
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070 

Section Navigation


Customer Testimonials

Read what some of our satisfied customers are saying about us.

Speaking Events

We regularly present and speak at international security conferences throughout the world.

Informática 2009, Havana

OWASP AppSec Europe 2008

AusCERT 2008

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls