QuickTime flaw the first of a month's worth of Apple bugs

The Month of Apple Bugs project (MoAB) has kicked off with the revelation of a QuickTime 7 flaw that could lead to a compromised system.

Users can be affected if they click on a malicious URL beginning with the real-time streaming protocol (rtsp), said a summary published by LMH and Kevin Finisterre, the two security researchers responsible for MoAB.

"By supplying a specially crafted (URL) string….an attacker could overflow a stack-based buffer, using HTML, JavaScript or a QTL file as an attack vector, leading to an exploitable remote arbitrary code execution condition," the pair of researchers posted on the MoAB website.

Vulnerability tracking firm Secunia has rated the bug "highly critical" and said in an advisory released today that the flaw affects QuickTime running on Windows and Mac OS X. The MoAB advisory said the hole has been successfully exploited in QuickTime version 7.1.3.

This is the first of an expected 31 Apple bugs to be posted during January as part of the MoAB project. Organizers said the initiative's purpose is to create more security awareness around Apple products and Mac OS X applications.

"Getting problems solved makes that use (of Mac OS X) a bit more safe each day, for everyone else," said a post on MoAB's website. "Flaws exist, with and without people disclosing them. If we wanted to make business out of this, we would be selling the issues and the proper exploit for each one."

Some industry experts have criticized LMH, who has participated in similar undertakings focusing on holes in kernels and web browsers, for failing to first report the vulnerability to the affected vendor.

But the organizers defended such actions.

"The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial," the researchers said on the MoAB site.

An Apple spokesperson could not immediately be reached for comment.

Click here to email reporter Dan Kaplan.

Sign up to our newsletters