I should mention that this vulnerability is even worse for 32-bit programs. Since the entire address space for those is confined to 2-3GB, a malicious MOC3 file can access all of the program's data.