Apple has shipped a new QuickTime version to plug at least three more security vulnerabilities that put Mac OS X and Windows users at risk of code execution attacks.
The QuickTime 7.3.1 update addresses the QuickTime RTSP (Real Time Streaming Protocol) Content-Type header flaw that was first released on security mailing lists on November 26. Exploit code for this vulnerability -- which dings Mac and Windows machines -- is publicly available.
From Apple's advisory:
A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data.
The third issue -- multiple vulnerabilities in QuickTime's Flash media handler -- could also lead to arbitrary code execution. With this update, Apple disables the Flash media handler in QuickTime except for a limited number of existing QuickTime movies that are known to be safe.
Not counting silent (undocumented) fixes, Apple has patched at least 35 security holes in QuickTime this year.