Saturday, February 14, 2015

Apple QuickTimePlayer Insecure DLL Loading Code Execution

By default QuickTimePlayer installation does't come with CoreFoundation.dll but QT Player tries to load the DLL when started.

Create any malicious DLL and rename it to CoreFoundation.dll, copy to C:\Program Files (x86)\QuickTime\

After copying the DLL if we start QuickTimePlayer we will execute the code part of malicious DLL leading to DLL Injection.

Location: C:\Program Files (x86)\QuickTime\CoreFoundation.dll
Application: QuickTime 7.7.2
OS: Windows 7 Ultimate N SP1

Apples response
        After examining your report we do not see any actual security implications. 
        Writing a file to the C:\Program Files (x86)\QuickTime  directory requires local 
        administrative privileges.