QuickTime 7.4.1 Fixes Zero-Day Vulnerability
Apple has released QuickTime 7.4.1, a critical security update all users should apply immediately. It is available via Software Update and as a direct download for Leopard, Tiger, Panther, and Windows systems.
This update patches a month-old zero-day vulnerability in the QuickTime streaming protocol (RTSP) that could allow an attacker to take over your computer if you visit a malicious Web site or receive an email with a malicious link. In security parlance, we call this “remote execution of arbitrary code,” using a vulnerability for which no patch exists (the “zero-day” part). This is similar to a previous vulnerability in RTSP that Apple patched in the QuickTime 7.3.1 update (see “QuickTime 7.3.1 Fixes RTSP Vulnerability,” 2007-12-14).
As usual, release notes are a sparse “addresses security issues and improves compatibility with third-party applications.” A separate security note provides more details, but the security information isn’t even referenced by the release notes on the download page, although they do appear on the security updates page.
Since this vulnerability has been in the wild with sample exploits for nearly a month, it is absolutely critical to apply the patch as quickly as possible.