VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 11, 2011· Updated Apr 29, 2026

CVE-2011-1417

CVE-2011-1417

Description

Integer overflow in QuickLook, as used in Apple Mac OS X before 10.6.7 and MobileSafari in Apple iOS before 4.2.7 and 4.3.x before 4.3.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a Microsoft Office document with a crafted size field in the OfficeArtMetafileHeader, related to OfficeArtBlip, as demonstrated on the iPhone by Charlie Miller and Dion Blazakis during a Pwn2Own competition at CanSecWest 2011.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer overflow in QuickLook and MobileSafari parsing OfficeArtMetafileHeader cbSize leads to arbitrary code execution via crafted Office file.

Vulnerability

CVE-2011-1417 is an integer overflow vulnerability in Apple's QuickLook component (Mac OS X before 10.6.7) and MobileSafari (iOS before 4.2.7 and 4.3.x before 4.3.2). The flaw exists in the parsing of Microsoft Office documents when processing the OfficeArtMetafileHeader structure, specifically the handling of the cbSize field in OfficeArtBlip. The software trusts the cbSize value and performs arithmetic operations without checking for overflow, leading to an undersized memory allocation. This affects versions: Mac OS X 10.6 through 10.6.6 and iOS 4.2.5 through 4.2.6 (iPhone 4 CDMA) and iOS 4.3 through 4.3.1 [1][2][4].

Exploitation

An attacker must craft a malicious Microsoft Office document with a specially crafted cbSize field in the OfficeArtMetafileHeader. The attacker then delivers the document to the victim, typically via a web page or email. The victim must open the document in an affected application (QuickLook in Finder or Mail, or MobileSafari on iPhone). No authentication is needed; the attack is remote. Charlie Miller and Dion Blazakis demonstrated this exploit on an iPhone during the Pwn2Own competition at CanSecWest 2011 [3][4]. The exploitation involves triggering the integer overflow to cause a heap buffer overflow, then corrupting memory to hijack execution flow.

Impact

Successful exploitation allows arbitrary code execution in the context of the affected application. On Mac OS X, QuickLook runs with user privileges; on iOS, MobileSafari runs as the mobile user. This could lead to full compromise of the user's data, including reading, modifying, or executing arbitrary code, as well as denial of service (crash). The CVSS score is 9.7 (AV:N/AC:L/Au:N/C:C/I:C/A:P) [4].

Mitigation

Apple released fixes in Mac OS X 10.6.7 (Security Update 2011-001) on March 21, 2011, and in iOS 4.2.7 (for iPhone 4 CDMA) and iOS 4.3.2 on March 22, 2011. Users should update via Software Update or iTunes. No workaround is available for unpatched systems. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of February 2025.

References
  1. About the security content of Mac OS X v10.6.7 and Security Update 2011-001 - Apple Support
  2. About the security content of iOS 4.2.7 Software Update for iPhone - Apple Support
  3. About the security content of Pages for iOS v1.5 - Apple Support
  4. ZDI-11-109

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

46
  • Apple Inc./Iphone Os30 versions
    cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 29 more
    • cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=4.2.5
    • cpe:2.3:o:apple:iphone_os:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:1.1.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.1.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:2.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.1.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:3.2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:4.3.1:*:*:*:*:*:*:*
  • Apple Inc./Mac Os X8 versions
    cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*+ 7 more
    • cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*range: <=10.6.6
    • cpe:2.3:o:apple:mac_os_x:10.6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.6.5:*:*:*:*:*:*:*
    • (no CPE)range: <10.6.7
  • Apple Inc./Mac Os X Server7 versions
    cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*range: <=10.6.6
    • cpe:2.3:o:apple:mac_os_x_server:10.6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x_server:10.6.5:*:*:*:*:*:*:*
  • Apple Inc./iOSllm-fuzzy
    Range: <4.2.7 || >=4.3.0 <=4.3.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

11

News mentions

0

No linked articles in our index yet.