Apple Fixes First Flaw From 'Month Of Apple Bugs'

The patch comes 23 days after the researcher known only as "LMH" posted the flaw and proof-of-concept code as the opening round of his month of bugs. The vulnerability is in QuickTime 7's parsing of RTSP (RealTime Streaming Protocol), a protocol used to transmit streaming audio, video, and 3-D animation over the Web. Users duped into clicking on an overlong rtsp:// link could have their PCs or Macs completely compromised, possibly automatically as soon as their browser reaches the site.

Apple's update adds validation of RTSP URLs, the Cupertino, Calif., computer and software maker said in the online advisory that accompanied the patch.

A day after LMH unveiled the QuickTime flaw, a Mac developer posted his own patch as part of a response to the bug-a-day project. Landon Fuller, who works on the DarwinPorts project, said he stepped in as "part brain exercise, part public service." So far, he and other researchers have published fixes for 20 of the 23 bugs listed on the Month of Apple Bugs site. Earlier this month, Apple declined to confirm any of the Month of Apple Bugs vulnerabilities and only issued a standard statement saying, "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."

The patches for QuickTime 7.1.3 for Mac OS X 10.4 (Tiger) and 10.3 (Panther) are available as separate downloads, but the Windows fix -- that edition of the media player also is flawed -- requires the use of Software Update, an optional component of the combined Windows QuickTime/iTunes download.