This article originally appeared in TidBITS on 2008-02-06 at 3:32 p.m.
The permanent URL for this article is:
Include images: Off

QuickTime 7.4.1 Fixes Zero-Day Vulnerability

by Rich Mogull

Apple has released QuickTime 7.4.1, a critical security update all users should apply immediately. It is available via Software Update and as a direct download for Leopard [1], Tiger [2], Panther [3], and Windows [4] systems.

This update patches a month-old zero-day vulnerability in the QuickTime streaming protocol (RTSP) that could allow an attacker to take over your computer if you visit a malicious Web site or receive an email with a malicious link. In security parlance, we call this "remote execution of arbitrary code," using a vulnerability for which no patch exists (the "zero-day" part). This is similar to a previous vulnerability in RTSP that Apple patched in the QuickTime 7.3.1 update (see "QuickTime 7.3.1 Fixes RTSP Vulnerability [5]," 2007-12-14).

As usual, release notes are a sparse "addresses security issues and improves compatibility with third-party applications." A separate security note provides more details [6], but the security information isn't even referenced by the release notes on the download page [7], although they do appear on the security updates page [8].

Since this vulnerability has been in the wild with sample exploits for nearly a month, it is absolutely critical to apply the patch as quickly as possible.