QuickTime flaw the first of a month's worth of Apple bugs

The Month of Apple Bugs project (MoAB) has kicked off with the revelation of a QuickTime 7 flaw that could lead to a compromised system. Users can be affected if they click on a malicious URL beginning with the real-time streaming protocol (rtsp), said a summary published by LMH and Kevin Finisterre, the two security researchers responsible for MoAB.

"By supplying a specially crafted (URL) string….an attacker could overflow a stack-based buffer, using HTML, JavaScript or a QTL file as an attack vector, leading to an exploitable remote arbitrary code execution condition," the pair of researchers posted on the MoAB website.

Vulnerability tracking firm Secunia has rated the bug "highly critical" and said in an advisory released today that the flaw affects QuickTime running on Windows and Mac OS X. The MoAB advisory said the hole has been successfully exploited in QuickTime version 7.1.3.

This is the first of an expected 31 Apple bugs to be posted during January as part of the MoAB project. Organizers said the initiative's purpose is to create more security awareness around Apple products and Mac OS X applications.