Miller had revealed information about the JP2 bug in The Mac Hacker's Handbook, a how-to book he and Dino Dai Zov published in March. In an earlier interview, Miller said that he had not actually disclosed the vulnerability, but he had provided all the information a competent researcher needed to root it out.
TippingPoint, which was unaware of the clues Miller had given, paid Put for the bug, said Amini. "We got that bug about a month after the book came out," said Amini Monday. "That happens about once every two months, where we end up paying twice for the same bug."
However, Put used a slightly different approach to find the vulnerability, Amini argued. "His research was unique and he did some original work. And this wasn't his first Apple bug," he said.
nCircle's Storms warned users to take the QuickTime vulnerabilities seriously, even if bugs in the player have rarely been exploited. "Anytime you can simply open a movie file and inject malware is bad news," Storms said. "Especially given how much of the Internet is now used for multimedia. Most people don't expect to be attacked watching a movie -- unless it's a horror movie."
Apple also updated iTunes Monday, releasing Version 8.2 to fix a single critical vulnerability in parsing "itms:" URLs, and to prep the software for iPhone 3.0, the new operating system expected to launch next week at Apple's annual Worldwide Developers Conference.
As is its practice, Apple skimped on details of the changes rolled into iTunes, although the Mac OS X Software Update noted: "iTunes 8.2 now supports iPhone or iPod touch with the iPhone 3.0 Software Update."
Mac users can upgrade to QuickTime 7.6.2 and iTunes 8.2 using the operating system's built-in Software Update feature, while Windows users can either download the new QuickTime and iTunes from the Apple support site or use the optional Windows update tool.