Buffer overflow in Apple's iTunes
Catchy songs generally get stuck in your brain, but users of Apple's iTunes might also have them get caught in their PCs if a security hole is exploited when an AAC file is played. AAC files have the endings .M4A, M4P or MP4. The cause of the weak point is an integer overflow that occurs when manipulated sample tables (sample_size_table) are read.
Attackers can use manipulated files to cause the application to crash or even, in the worst-case scenario, to have code injected and executed with the user's rights. Under Windows, the user is generally the administrator and, under Mac OS X, a user with restricted rights. However, users still have to click on the song in Apple's player. The hole has been patched in iTunes version 6.0.5 for both Windows and Mac OS X.
- About the security content of iTunes 6.0.5, Apple's error report
- Apple iTunes AAC File Parsing Integer Overflow Vulnerability, Tipping Point's error report