Apple slaps more bandaids on QuickTime

The QuickTime 7.3.1 update addresses the QuickTime RTSP (Real Time Streaming Protocol) Content-Type header flaw that was first released on security mailing lists on November 26.    Exploit code for this vulnerability -- which dings Mac and Windows machines -- is publicly available.

From Apple's advisory:

A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data.

[ SEE: Latest QuickTime bug leaves XP, Vista vulnerable ]

The latest update also patches a high-risk vulnerability that allows hackers to manipulate QTL files to crash QuickTime or launch malware attacks.

The third issue --  multiple vulnerabilities in QuickTime's Flash media handler -- could also lead to arbitrary code execution.  With this update, Apple disables the Flash media handler in QuickTime except for a limited number of existing QuickTime movies that are known to be safe.

Not counting silent (undocumented) fixes, Apple has patched at least 35 security holes in QuickTime this year.

ALSO SEE: Apple QuickTime under siege and QuickTime high on list of most vulnerable Windows apps