Apple Inc. patched several bugs in QuickTime on Thursday, including a three-week-old streaming media vulnerability for which exploit code has been in circulation since the end of November.
At least one security researcher took Apple to task for its slow response and lack of information before today. "In classic Apple style, security researchers have been shouting the warning about this, and Apple has sat quietly, leaving many people wondering when an update might be available," said Andrew Storms, director of security operations at nCircle Inc. "[Then] without any advance notification, we have an update [this afternoon]. There will undoubtedly be some people working late this week to not only catch up from the big Microsoft 'Patch Tuesday' release, but now also to update Apple QuickTime."
Unveiled Thursday afternoon, QuickTime 7.3.1 patches problems in how the program handles three types of media content. The most anticipated fix, however, plugged the Real-Time Streaming Protocol (RTSP) hole first disclosed Nov. 23 by Polish researcher Krystian Kloskowski.
Apple today also patched other media-related vulnerabilities, including a buffer overflow bug in the QuickTime movie file format (QTL) and an unspecified number of flaws in QuickTime's handling of Flash files. To fix the Flash vulnerabilities, Apple disabled QuickTime's media handler for all Flash content "except for a limited number of existing QuickTime movies that are known to be safe," according to a security advisory the company posted.
The Flash strategy was almost identical to the tack Apple took with Java a month ago when it last patched QuickTime. Then, Apple essentially gave up on Java; rather than patch QuickTime yet again, it simply killed most of its Java-handling skills.
Apple, QuickTime, Vulnerability, Exploitm Bugs, Patch