Apple posts QuickTime security fix

Apple has released an update to its QuickTime media player, fixing a number of critical security bugs in the software.

The QuickTime 7.3 update, released Monday, fixes seven bugs in the software. Six of the flaws could allow an attacker to run unauthorized software on a victim's PC. To do this, the attacker would first need to trick the victim into viewing a maliciously crafted movie or image file, Apple said.

The seventh flaw lies in QuickTime for Java, and it could be used to gain access to sensitive information or to run Java applets with elevated privileges, Apple said. The QuickTime patches issued Monday are for the latest versions of the Mac OS X operating system as well as Windows Vista and XP.

None of the bugs had been previously disclosed to the public, said Andrew Storms, director of security operations with nCircle Network Security.

In the past year, QuickTime has been closely scrutinized by security researchers, and this latest update was Apple's fifth QuickTime security fix for the year. The previous update, QuickTime 7.2, released in July, featured eight bug-fixes.

Apple credited outside researchers from companies like Adobe, Verisign, and 3Com for reporting the bugs it patched Monday.

"QuickTime seems to have become a new flavor of the month for researchers," Storms said. "I think part of the reason for the attention is that its cross platform. Many of the attacks will work on both Windows and Mac, and with Apple's market share in the PC market growing, there won't be any let-down to the attention that the hackers are giving Apple."