Apple has issued a patch for a high-profile vulnerability in its flagship QuickTime media player, acknowledging that the bug could lead to drive-by malware installations on Windows and Mac machines.

With QuickTime 7.4.1, the company provides cover for a heap buffer overflow in QuickTime's handling of HTTP responses when RTSP (Real Time Streaming Protocol) tunneling is enabled.

Resource Library:

Apple warned that malicious hackers could use booby-trapped Web pages to "cause an unexpected application termination or arbitrary code execution."

The QuickTime update is for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista and Windows XP SP2.

The patch comes almost a month after it was first released as zero day (previously unknown or unpatched) on public mailing lists.

Proof-of-concept exploits have been in circulation since Jan. 10, putting both Windows and Mac users at serious risk.

The issue occurs because QuickTime fails to properly bounds-check user-supplied input before copying it to an insufficiently sized buffer.

Not counting silent—or undocumented—fixes, Apple has patched at least 40 security flaws affecting QuickTime since January 2007. In 2006, the QuickTime patch count was 28.

Apple Feb. 4 also shipped a fix for a critical flaw affecting the iPhoto application.