Patch Management

Apple patches exploited QuickTime flaw after 23-day window

January 24, 2007

Apple has released a patch for a flaw in its QuickTime media player — more than three weeks after the vulnerability was discovered.

The bug was detected at the start of the year, as part of the Month of Apple Bugs project. Security organizations, including Secunia and the French Security Incident Response Team, described the flaw as "highly critical," yet it has taken the technology giant 23 days to patch.

One of the researchers behind the project, a former hacker known as LMH, said he was "stunned" by the length of time it took Apple to fix the bug.

"Taking 23 days for a remote issue that leads to code execution right away is insane," he said in a statement. "There was already an exploit and it was being abused in targeted attacks."

The QuickTime vulnerability affects the way the media player runs Real Time Streaming Protocol (RTSP). A hacker could exploit the bug and compromise the user’s computer by inserting a RTSP string in a QuickTime file, causing the user to open the file, according to an advisory on Apple’s website.

The patch is available for download from Apple’s website or by using the Mac OS X software update.

The project kicked off on New Year’s Day with the QuickTime bug. Organizers have defended the project as necessary to improve the visibility of Apple security issues.

prestitial ad