Apple on Thursday released an updated version of its QuickTime media software for Mac OS X and Windows that addresses a security vulnerability and restores compatibility with a third-party video program.
QuickTime 7.4.1 addresses a flaw in the way earlier versions of QuickTime handled the Real-Time Streaming Protocol. "A heap buffer overflow exists in QuickTime's handling of HTTP responses when RTSP tunneling is enabled," Apple explained in its security bulletin. "By enticing a user to visit a maliciously crafted Web page, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking."
Apple fixed a previous RTSP buffer overflow bug (CVE-2007-6166) with the release of QuickTime 7.3.1 on Dec. 13.
The RTSP vulnerability was reported on Jan. 10 by Italian security researcher Luigi Auriemma. On Jan. 15, Apple released security fixes for its iPod Touch, iPhone, and QuickTime, but the RTSP bug wasn't addressed. The QuickTime 7.4 release, however, caused problems for users ofAdobe (NSDQ: ADBE)'s professional video graphics program After Effects.
From the release of QuickTime 7.1.3 in January 2007 through the release of QuickTime 7.3.1 in December of that year, Apple fixed 34 different QuickTime vulnerabilities. In 2006, Apple fixed 28 QuickTime holes. So far this year, Apple has made five specific QuickTime repairs.
QuickTime 7.4.1 works with Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, and Windows XP SP2. It's available through the Software Update control panel or from Apple's Web site.
No comments:
Post a Comment