Apple on Wednesday released an update to QuickTime, version 7.4.1, closing a critical hole that’s been known for nearly a month. Specifically, the update addresses a vulnerability that could leave users open to arbitrary code execution via a web page embedded with a specially-crafted streaming media file.
The vulnerability is a heap buffer overflow that exists in QuickTime’s handling of HTTP responses when RTSP tunneling is enabled. The update improves bounds checking, thus preventing the issue from occurring. This is Apple’s fifth QuickTime patch since October including another RTSP vulnerability that led to a series of attacks back in December.
Given the security nature of this update, 7.4.1 is of course recommended for all QuickTime 7 users and can be downloaded through Apple’s Software Update utility or from the Apple Downloads site.