QuickTime is no longer bundled with iTunes whenever you wish to download Apple’s software on a Windows PC, but the Cupertino computer giant continues to make the player available as a separate download on its web site. The same goes for the latest updates.
QuickTime 7.7.1 targets Windows users only and it’s tasked with improving security. Apple recommends the update to all QuickTime 7 users on Windows XP (SP2 or later), Windows Vista, and Windows 7.
The link provided by Apple to the document listing all available security updates from Cupertino currently doesn’t work, but the company has posted the advisory that describes the security content of QuickTime 7.7.1 for Windows customers.
Most patches target the core of the application which suffers from several bugs that may lead to an unexpected application termination or arbitrary code execution, or to the disclosure of memory contents.
One patch in particular, available for Windows 7, Vista, XP SP2 or later, targets a cross-site scripting issue in QuickTime Player's "Save for Web" export.
Cupertino explains that “The template HTML files generated by this feature referenced a script file from a non-encrypted origin.”
In this respect, the non-patched version of the player may allow an attacker in a privileged network position to “inject malicious scripts in the local domain if the user views a template file locally.”
Apple removed the reference to an online script to address this issue. The company notes that this issue does not affect OS X Lion customers, while Snow Leopard users have seen this issue fixed in Security Update 2011-006.
Also noteworthy, an uninitialized memory access issue in QuickTime's handling of URL data handlers within movie files is also addressed. Apple says that “Viewing a maliciously crafted movie file may lead to the disclosure of memory contents.”
As with the aforementioned bug, Mac OS X users are in the clear, but Snow Leopard still requires the 2011-006 security update to fix this issue.