In a posting on his Apple Fun blog, LMH described the flaw as a stack overflow error that surfaces when the program handles a malformed "rtsp" URL. To exploit this, attackers could set up a malicious Web site and lure users there. Or, they could trick users into opening a malicious .qtl file.
Apple confirmed those findings in its security advisory 2007-001.
"By enticing a user to access a maliciously-crafted rtsp URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution," Apple said. "A .qtl file that triggers this issue has been published on the Month of Apple Bugs web site. This update addresses the issue by performing additional validation of rtsp URLs."
Apple said the security update is available for QuickTime 7.1.3 on Mac OS X 10.3.9, Mac OS X Server 10.3.9; Mac OS X 10.4.8; Mac OS X Server v10.4.8; and Windows XP/2000.