Apple has patched a high-profile vulnerability in QuickTime eleven days after the flaw allowed a hacker to publicly hijack a brand new MacBook Pro. The Apple media player is just one of four popular applications suffering from security defects that currently require the urgent attention of those who use them.

The three other applications include Adobe Photoshop, the Winamp media player and Trillian, a client that combines the functionality of IRC, AOL Instant Messenger, MSN Messenger and other chat programs. Today's update from Apple (http://www.apple.com/quicktime/download/) means that two of the four applications have patches (Trillian's patched download is here (http://www.ceruleanstudios.com/downloads/).) Users who care about the security of their machines should install them promptly.

According to an advisory (http://secunia.com/advisories/25089/) from Secunia, the current version of Winamp contains a flaw in the way the program handles MP4 files that could allow a booby-trapped file to execute arbitrary code on a victim's machine. Secunia rates the flaw highly critical, the site's second most serious rating. Until there is a patch, Winamp users may want to think twice about playing MP4 files unless absolutely sure they originated from reputable sources.

Secunia has also warned (http://www.theregister.com/2007/05/01/adobe_photoshop_bugs/) of at least two serious vulnerabilities in Photoshop that are also labeled highly critical. One flaw, a buffer overflow vulnerability, affects Adobe Photoshop CS2 and Adobe Photoshop CS3 and involves their handling of Bitmap files. The other affects the same two Photoshop versions as well as Adobe Photoshop Elements 5.x and leaves users open to attack if they open malformed PNG graphics files. Users are advised not to open untrusted PNG or Bitmap files pending the release of a security update from Adobe.

Version 3.1.5.0 of Trillian carries three vulnerabilities related to IRC that could allow for the interception of private conversations or the execution of code with the same privileges as the currently logged on user, according to iDefense Labs (http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=522). The security provider didn't assign a rating to the vulnerabilities.

Apple describes (http://docs.info.apple.com/article.html?artnum=305446) the patched vulnerability in QuickTime for Java as an implementation issue that "may allow reading or writing out of the bounds of the allocated heap." By luring a victim to a malicious website, a miscreant could hijack a user's machine, Apple warns. The update is available for Mac and Windows platforms.

The QuickTime vulnerability was discovered by Dino Dai Zovi, who spent about nine hours to write code that exploited it and submitted it as part of a contest at the CanSecWest security conference. His discovery, first reported (http://www.theregister.com/2007/04/20/pwn-2-own_winner/) to affect Safari, was later shown (http://www.theregister.com/2007/04/25/quicktime_vuln_fells_mac/) to target QuickTime. In either case, the exploit allowed him to take control of a 15-inch MacBook Pro when it visited a website that hosted the malicious code. ®

Related stories

QuickTime update fixes code-execution holes (6 November 2007)
http://www.theregister.co.uk/2007/11/06/new_quicktime_update/
IE + RealPlayer = Security hole (20 October 2007)
http://www.theregister.co.uk/2007/10/20/realplayer_vuln/
Security maven: QuickTime flaw threatens PCs, Macs (12 September 2007)
http://www.theregister.co.uk/2007/09/12/quicktime_vulnerability_attacks_firefox/
Serious security hole plugged in RealPlayer and HelixPlayer (28 June 2007)
http://www.theregister.co.uk/2007/06/28/realplayer_security_hole_plugged/
Apple TV gets its first critical security patch (20 June 2007)
http://www.reghardware.co.uk/2007/06/20/critical_appletv_patch/
Apple plugs holes in new Safari beta (14 June 2007)
http://www.reghardware.co.uk/2007/06/14/safari_holes_plugged/
Apple's Safari lacks bold vision (13 June 2007)
http://www.theregister.co.uk/2007/06/13/safari_cant_see_bold/
Security researchers poke holes in Safari (12 June 2007)
http://www.theregister.co.uk/2007/06/12/safari_security_bugs/
Apple's Safari 3: a crashing experience for non-US users (12 June 2007)
http://www.reghardware.co.uk/2007/06/12/safar_crashing_experience/
Apple plugs two QuickTime holes (30 May 2007)
http://www.reghardware.co.uk/2007/05/30/latest_quicktime_security_patch/
Apple patches more than a dozen holes in OS X (25 May 2007)
http://www.reghardware.co.uk/2007/05/25/osx_security_update/
Month of ActiveX bugs yields results (2 May 2007)
http://www.theregister.co.uk/2007/05/02/moaxb_yields_results/
Poisoned MP4 files threaten Winamp users (2 May 2007)
http://www.theregister.co.uk/2007/05/02/winamp_0-day/
MySpace-hosted malware exploits QuickTime flaw (16 March 2007)
http://www.theregister.co.uk/2007/03/16/myspace_quicktime_exploit/
Apple megapatch fixes multiple flaws (14 March 2007)
http://www.theregister.co.uk/2007/03/14/apple_megapatch/
The rise of zero-day patches (2 March 2007)
http://www.theregister.co.uk/2007/03/02/zero-day_patches_interviews/
Apple patches QuickTime bug (24 January 2007)
http://www.reghardware.co.uk/2007/01/24/apple_patches_quicktime_bug/
Month of Apple Bugs scheme yields first fixes (5 January 2007)
http://www.reghardware.co.uk/2007/01/05/apple_fixes_project/
Unpatched bug bites QuickTime (3 January 2007)
http://www.theregister.co.uk/2007/01/03/quicktime_vuln/
Month of Apple bugs planned for January (20 December 2006)
http://www.theregister.co.uk/2006/12/20/month_of_apple_bugs/
Apple blocks Mac OS X security holes (29 November 2006)
http://www.reghardware.co.uk/2006/11/29/apple_patches_osx_security/
Unpatched bug bites Apple Mac OS X (22 November 2006)
http://www.reghardware.co.uk/2006/11/22/mac_zero_day_bug/