After attacks, Apple fixes QuickTime bug

Apple has released a new security patch for QuickTime, its eighth update this year for the media player software.

The update addresses three critical security holes in QuickTime, including a vulnerability that has been used in attacks by online criminals.

The most critical of the flaws lies in QuickTime's implementation of the Real Time Streaming Protocol (RTSP), used to play audio and video over the Internet. The flaw was made public Nov. 23, and in early December attackers began exploiting the flaw in online attacks. By tricking victims into visiting a malicious Web site that exploited the flaw, hackers were able to install malicious software on the victims' PCs.

To date, these attacks have targeted Windows-based systems, but security experts say that Mac OS X users are also at risk to the vulnerability. Apple issued patches for both Windows and Mac OS X users on Thursday.

The second critical vulnerability, which had apparently not been publicly disclosed, has to do with a flaw in the QuickTime Media Link (QTL) file format used by the media player. Security researchers have recently been looking at the way QuickTime works with these files as a potential source of new bugs.

Apple also patched a handful of similar bugs in the way that QuickTime handles Adobe's Flash media format. The most serious of these flaws could let attackers run unauthorized software on the computer, much as the RTSP bug does, Apple said.

With security researchers paying special attention to media format bugs, Apple has had to patch QuickTime frequently this year. Some of these updates have come just weeks apart. Apple last patched QuickTime on Nov. 5.