Apple QuickTime Player versions 7.1.3 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with user privileges.
The vulnerability is due to insufficient boundary restrictions on elements contained within rtsp:// URLs. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to follow a malicious URL as part of a crafted website, triggering a buffer overflow condition. This condition could allow the attacker to execute arbitrary code with privileges of the user who invoked the affected application.
Proof-of-concept code is availabel to demonstrate code execution on some platforms.
Apple confirmed this
vulnerability in a security update and released software updates.