Aliso Viejo (CA) - Yesterday, the eEye Digital Security consultancy reported that it had discovered last November a class of heap overflow error in Apple's QuickTime media software on both Windows and Macintosh computers, which it claimed could be exploited through Apple's iTunes software. Apple released a patch for QuickTime on all platforms yesterday, in concert with eEye's announcement.

What eEye discovered is that the QuickTime library can be directed by a downloaded media file to allocate more memory than it will actually need to use, by way of using an improper multiple of the file's "atom" size (a unit of allocated memory). The mis-allocation can trigger a heap overflow, the outcome of which could conceivably enable a malicious user to gain control of certain processes while memory allocation is out of order.

In a prepared statement, eEye's chief hacking officer (that's his real title), Marc Maiffret, said, "Most IT departments probably saw Apple's security update and thought 'that's a consumer application, I don't have to worry about security policies for that.' Those IT departments would be mistaken." The presence of an iPod around an employee's neck, the CHO stated, is an indicator of the presence of iTunes on the employer's network, which could lead to dire consequences if not sufficiently managed. Maiffret did not go into detail about what other items commonly found on an employee's person could constitute a threat to a company's memory buffers, such as cell phones with text links to IM services.