Apple has fixed a flaw (http://www.theregister.co.uk/2007/01/03/quicktime_vuln/) in its QuickTime media playback software that allowed malicious coders to install malware onto vulnerable systems.

The vulnerability (http://secunia.com/advisories/23540/) - which affects both Windows and Mac OS X PCs - was published as part of the "Month of Apple Bugs (http://projects.info-pull.com/moab/)" project, which involves a plan to release details of previously undisclosed Mac OS X or Apple application security bugs every day in January.

The QuickTime flaw involves an error in processing malformed Real Time Streaming Protocol (RTSP) URLs. As a result, users tricked into running malformed QuickTime files or who visit a hacker website hosting exploit code are liable to find their systems compromised due to this stack-based buffer overflow bug.

The flaw attracted particular attention because of the availability of exploit code targeting it, which greatly increased the risk it posed.

Apple has released fixes for QuickTime 7.1.3 on Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8, Windows XP/2000as (explained here (http://docs.info.apple.com/article.html?artnum=304989)), which users are advised to apply in order to guard against exploitation. ®

Related stories

RealPlayer users warned over unpatched vuln (3 January 2008)
http://www.theregister.co.uk/2008/01/03/realplayer_vuln/
Security maven: QuickTime flaw threatens PCs, Macs (12 September 2007)
http://www.theregister.co.uk/2007/09/12/quicktime_vulnerability_attacks_firefox/
Serious security hole plugged in RealPlayer and HelixPlayer (28 June 2007)
http://www.theregister.co.uk/2007/06/28/realplayer_security_hole_plugged/
Apple patches more than a dozen holes in OS X (25 May 2007)
http://www.reghardware.co.uk/2007/05/25/osx_security_update/
Apple patches security hole in QuickTime (2 May 2007)
http://www.reghardware.co.uk/2007/05/02/apple_quicktime_patch/
QuickTime, not Safari, to blame for MacBook vuln (25 April 2007)
http://www.reghardware.co.uk/2007/04/25/quicktime_vuln_fells_mac/
Safari zero-day exploit nets $10,000 prize (20 April 2007)
http://www.reghardware.co.uk/2007/04/20/pwn-2-own_winner/
Exploit for latest Windows vuln already animated (30 March 2007)
http://www.theregister.co.uk/2007/03/30/animated_cursor_vuln/
MySpace-hosted malware exploits QuickTime flaw (16 March 2007)
http://www.theregister.co.uk/2007/03/16/myspace_quicktime_exploit/
Apple megapatch fixes multiple flaws (14 March 2007)
http://www.theregister.co.uk/2007/03/14/apple_megapatch/
Apple QuickTime update lances multiple bugs (6 March 2007)
http://www.reghardware.co.uk/2007/03/06/apple_quicktime_update/
Bug brokers offering higher bounties (25 January 2007)
http://www.theregister.co.uk/2007/01/25/bug_brokers_offering_higher_bouties/
Month of Apple Bugs scheme yields first fixes (5 January 2007)
http://www.reghardware.co.uk/2007/01/05/apple_fixes_project/
Unpatched bug bites QuickTime (3 January 2007)
http://www.theregister.co.uk/2007/01/03/quicktime_vuln/
Apple updates to defend against OS, app and QuickTime flaws (15 May 2006)
http://www.theregister.co.uk/2006/05/15/apple_update/