Quick Time users may now update their current player version to the latest 7.5 release. The update supposedly adds performance enhancements and addresses security issues dealing with the way QT handles PICT files, AAC-encoded media, URLs and Indeo video. More information can be found on the Apple web site. Download Apple Quick Time 7.5 for Windows XP or Vista here.

Apple has released a security fix for its QuickTime media player software, fixing a critical bug that had been worrying security experts for nearly a month. The update, released Wednesday, fixes a vulnerability in the Real Time Streaming Protocol (RTSP) used by QuickTime to handle streaming media. It also fixes a previously reported incompatibility between QuickTime 7.4 and Adobe Premiere and After Effects, according to an Apple spokesman. In January, researcher Luigi Auriemma disclosed the flaw by posting proof-of-concept attack code that could be used to run unauthorised software on a victim's computer. For the attack to work, the criminal would have to first trick the user into viewing a maliciously encoded QuickTime media file. Wednesday's QuickTime 7.4.1 update is for both the Mac OS X and Windows operating systems.

An Italian security researcher has posted a proof-of-concept exploit for a zero-day vulnerability in the most current version of Apple's QuickTime media software (7.3.1) which affects both Windows and Mac OS X. According to Luigi Auriemma the bug is a buffer-overflow which happens during the handling of the HTTP error message and its visualization in the LCD-like screen which contains info about the status of the connection. Buffer overflows can often be exploited by attackers to compromise the affected system. In this scenario, that's exactly what this bug can do. It can allow the attacker to take control the affected system. The vulnerability Auriemma has identified has no fix at the moment, so keep it in mind if you use the latest QuickTime on your system. Find out more about the exploit here.

Apple updated QuickTime to version 7.3 recently to address a much-exploited bug, but a new QuickTime vulnerability has emerged, prompting security agencies to issue warnings to those running QuickTime on either Windows XP or Windows Vista. There is no word yet on whether Mac OS X is vulnerable to the new QuickTime bug. Apple's QuickTime is vulnerable to malware disguised as streaming video, and attack code has been published on the milw0rm.com web site. According to the U.S. Computer Emergency Readiness Team, QuickTime versions 7.2 and 7.3, and perhaps earlier versions, contain a buffer-overflow bug. "Apple QuickTime contains a stack buffer overflow vulnerability in the way QuickTime handles the RTSP Content-Type header," US-CERT said. "This vulnerability may be exploited by convincing a user to connect to a specially crafted RTSP stream." RTSP is the Real-Time Streaming Protocol, which QuickTime supports. When users click on a link for a malicious RTSP stream, an attacker might be able to execute arbitrary code on the compromised system. Solutions of limiting this vulnerability until a new patch is released, can be found here.

Apple has taken another swing at fixing a troublesome spate of QuickTime vulnerabilities. The company released an update for the Windows version of QuickTime media player on Wednesday afternoon to patch what Apple calls a "command injection issue" in the way the media player handles URLs. The flaw, which affects Windows XP and Windows Vista, was first disclosed in September of 2006 by Petko D. Petkov, a penetration tester. Petkov noted in a blog post this September that he reported two QuickTime bugs in the early fall of 2006. Only one, however, was patched. To bring attention to the year-old vulnerability, Petkov posted several proof-of-concept exploits on his blog last month. The issue does not affect computers running Mac OS X, according to Apple.