Apple updated its media workhorse QuickTime to version 7.4 last week, fixing bugs and adding support for new iTunes features such as downloadable movie rentals. But the more important news is that this version squashes a handful of security holes that could allow remote attacks [1]. However, a serious vulnerability discovered shortly before Macworld Expo demonstrates that Apple's engineers need to remain hard at work.

The QuickTime 7.4 update is available for Leopard (a 55 MB download [2]), Tiger (a 51 MB download [3]), Panther (a 50 MB download [4]), and Windows (both XP and Vista, a 22 MB download [5]).

The most recent exploit [6], not addressed in QuickTime 7.4, takes advantage of a hole in QuickTime's RTSP (Real Time Streaming Protocol) that could open a computer to a denial-of-service attack or possible remote code execution. (RTSP is not a new target; see "Protect Yourself from the QuickTime RTSP Vulnerability [7]," 2007-09-07.) Because QuickTime is the underlying technology of iTunes, Macs and Windows computers running QuickTime are vulnerable. Anyone who uses iTunes or owns an iPod should update.

[1]: http://docs.info.apple.com/article.html?artnum=307301
[2]: http://www.apple.com/support/downloads/quicktime74forleopard.html
[3]: http://www.apple.com/support/downloads/quicktime74fortiger.html
[4]: http://www.apple.com/support/downloads/quicktime74forpanther.html
[5]: http://www.apple.com/support/downloads/quicktime74forwindows.html
[6]: http://www.kb.cert.org/vuls/id/112179
[7]: http://db.tidbits.com/article/9333

Permanent article URL: http://db.tidbits.com/article/9411
This is a specially formatted version of this TidBITS article that removes colors, and optionally removes images; it's designed to minimize the use of ink and paper.
Unless otherwise noted, this article is copyright © 2008 TidBITS Publishing, Inc.. TidBITS is copyright © 2008 TidBITS Publishing Inc. Reuse governed by this Creative Commons License: http://www.tidbits.com/terms/.