QuickTime 7.4.1 fixes RTSP flaw

Stephen Withers
Friday, 08 February 2008 02:18

Business IT - Technology

Just three weeks after the debut of QuickTime 7.4, Apple has pushed out an update to plug a security hole.

QuickTime 7.4.1 fixes a heap buffer overflow flaw in the handling of HTTP responses when RTSP tunnelling is enabled that could be exploited with a maliciously crafted web page to cause a crash or arbitrary code execution.

No information was given about the possible existence of the flaw in versions of QuickTime prior to 7.4.

Similar problems involving RTSP have been found in earlier versions of QuickTime. Such a flaw was the first issue identified by the Month of Apple Bugs project in January 2007. Apple subsequently released a fix.

Media files and related issues are currently fertile ground for those seeking exploits.

The update also "improves compatibility with third-party applications," Apple officials said. Judging by user reports, this is a reference to a problem affecting Adobe After Effects that was introduced by QuickTime 7.4. The symptom was that rendering would stop after around 10 minutes, claiming the user didn't have permission to open the file. It appeared to be related to DRM measures introduced in QuickTime 7.4 to help protect movies rented from the iTunes Store, but it caused media professionals a lot of grief as Apple provides no mechanism for undoing QuickTime (or other) updates

Separate versions of the update are available for Mac OS X 10.4, 10.4, 10.5, and Windows XP and Vista. They may be installed by using Software Update (Apple Software Update on Windows) or downloaded from Apple Downloads.