QuickTime Bug Squashed

Apple releases a patch to update a critical flaw, making it the eight update this year for QuickTime.

Apple Fixes QuickTime Bug
A new security patch for QuickTime has been released by Apple, making it the eight update for this year for the media player software. The update addresses three critical security flaws in Quicktime that also includes a vulnerability that has been used by online criminals.

The most critical of the flaws patched is the implementation of QuickTime of the Real Time Streaming Protocol, or RTSP, which is used to play video and audio over the internet. Attackers began exploiting the flaw early December after it was made public last November. The online attack includes tricking victims into visiting a malicious website that exploited the flaw, and hackers were able to install malicious software on the victims' PCs.

These attacks have targeted Windows-based systems, but experts says that Mac OS X users are also at risk. Apple issued patches for both Windows and Mac OS X users last Thursday.

Security researchers are looking at the way QuickTime works with QuickTime Media Link (QTL) fire format used by the media player. The second critical vulnerability, which had apparently not been publicly disclosed, has to do with this file format.

Apple also patched a handful of similar bugs in the way that QuickTime handles Adobe's Flash media format. The most serious of these flaws could let attackers run unauthorized software on the computer, much as the RTSP bug does, Apple said.
With security researchers paying special attention to media format bugs, Apple has had to patch QuickTime frequently this year. Some of these updates have come just weeks apart. Apple last patched QuickTime on Nov. 5.