Better late than never, Apple has fixed a serious QuickTime vulnerability on both Windows and Macintosh. QuickTime 7.3.1 includes a fix to the recent QuickTime RTSP vulnerability, along with a couple other similar problems.

The fix prevents “arbitrary code execution,” as many fixes of this type do. Unlike most such fixes, however, the code execution that’s prevented is not theoretical. It is actual, on both Windows and Macs. That is, there are real exploits out there that take advantage of the flaw. In particular, there’s one that affects, in a quite real way, Second Life users. There may well be others, in addition to the “proof of concept” code published with the original bug report.

As many other people have pointed out, it took Apple too long to make the fix available. It was actually less than three weeks, but, in Internet time, that’s just not quick enough. In three weeks, a very serious virus could have been created and propagated. It wasn’t, and perhaps this particular flaw was not amenable to its creation, but who knows.

It’s likely Apple is still used to only having to address theoretical security issues, where a three week turnaround is not bad (although it’s not great either). When a more “real” security issue like this appeared, they probably weren’t quite prepared for it. Hopefully they’ll learn from this lack of preparation and do better next time.