Apple fixes critical QuickTime bug

Apple has released a security fix for its QuickTime media player software, fixing a critical bug that had been worrying security experts for nearly a month.

The update, released Wednesday, fixes a vulnerability in the RTSP (Real Time Streaming Protocol) used by QuickTime to handle streaming media. It also fixes a previously reported incompatibility between QuickTime 7.4 and Adobe Premiere and After Effects, according to an Apple spokesman.

On Jan. 10, researcher Luigi Auriemma disclosed the flaw by posting proof-of-concept attack code that could be used to run unauthorized software on a victim's computer. For the attack to work, the criminal would have to first trick the user into viewing a maliciously encoded QuickTime media file.

With the attack code available, security researchers had been hoping that Apple would address the flaw. Wednesday's QuickTime 7.4.1 update is for both the Mac OS X and Windows operating systems.

It is Apple's fifth QuickTime update since October. The company has been forced to issue the flurry of patches as security researchers have taken a closer look at media player flaws during the past year. In December, Apple patched a separate RTSP vulnerability, which online criminals had already started to use in their attacks.

"In the past few months, QuickTime has been a prevalent target for security researchers," said Andrew Storms, director of security operations with nCircle Network Security. "Internet media applications on the desktop have been a rich target for attackers, and this trend is sure to continue as most users aren't yet accustomed to attacks arriving in the form of a viral video."