Apple on Wednesday released an update to QuickTime, version 7.4.1. Available for download from the Software Update system preference, QuickTime is also available from Apple’s downloads Web site. Separate updaters have been posted for Mac OS X v10.3, 10.4 and 10.5.
The update “addresses security issues and improves compatibility with third-party applications,” according to Apple. Apple provided no additional details about those changes in the release notes, but Macworld has confirmed with an Apple spokesman that this update addresses a previously reported incompatibility between QuickTime 7.4 and Adobe After Effects.
According to a separately posted note on Apple’s Web site, QuickTime 7.4.1 also includes a security improvement that can prevent a malicious Web site from causing an unexpected application termination or arbitrary code execution.
Apple describes the problem as a “heap buffer overflow” that occurs in QuickTime 7.4’s handling of HTTP responses when RTSP tunneling is enabled. The update improves bounds checking, thus preventing the issue from occurring.
On Jan. 10, researcher Luigi Auriemma disclosed the flaw by posting proof-of-concept attack code that could be used to run unauthorized software on a victim’s computer. For the attack to work, the criminal would have to first trick the user into viewing a maliciously encoded QuickTime media file.
With the attack code available, security researchers had been hoping that Apple would address the flaw. Wednesday’s QuickTime 7.4.1 update is for both OS X and Windows.
It is Apple’s fifth QuickTime update since October. The company has been forced to issue the flurry of patches as security researchers have taken a closer look at media player flaws during the past year. In December, Apple patched a separate RTSP vulnerability, which online criminals had already started to use in their attacks.
“In the past few months, QuickTime has been a prevalent target for security researchers,” said Andrew Storms, director of security operations with nCircle Network Security, via instant message. “Internet media applications on the desktop have been a rich target for attackers and this trend is sure to continue as most users aren’t yet accustomed to attacks arriving in the form of a viral video.”
This article was updated at 3:50 p.m. PT to include background reports written by Robert McMillan of IDG News Service.