Apple patches January's critical QuickTime bug

Apple Inc. today patched its QuickTime media player for the second time this year, closing a critical hole that's been known for nearly a month.

The update to QuickTime 7.4.1 fixes a single flaw in the player's handling of the Real-Time Streaming Protocol (RTSP), a streaming-media protocol that Apple last patched in December to crush a different bug. According to Apple, the vulnerability can be exploited by duping users into visiting a malicious Web site.

Last month, Italian researcher Luigi Auriemma posted sample attack code for the vulnerability, which he said could be exploited using both the Windows and Mac OS X versions of QuickTime. Shortly after that, however, another researcher claimed that only the Windows edition was buggy.

Apparently not. Apple updated both the Windows and Mac versions of QuickTime today, and cited not only Windows XP and Vista as involved, but also the players included with Mac OS X 10.3, 10.4 and 10.5.

Today's security advisory noted that a successful attack "may lead to an unexpected application termination or arbitrary code execution." The last phrase -- "arbitrary code execution" -- is Apple's way of saying that attacks may be able to insert their own malicious code into the victimized computer and snatch control of it from its rightful user.

In mid-January, Apple patched four other vulnerabilities in QuickTime; today's fix, the fifth for the year, puts Apple on an annual pace of 45 total QuickTime bugs. In 2007, the company patched 34 vulnerabilities in its multimedia player program.

Auriemma was not immediately available to confirm that the update plugged the hole he had uncovered.

Mac users can upgrade to QuickTime 7.4.1 using the operating system's built-in Software Update feature, while Windows users can either download the new edition from the Apple site or use the Windows-only update tool.

print this article

Return to internet news headlines
View Internet News Archive

Share with: