The publication on Monday of the vulnerability and detailed attack code kicks off the "Month of the Apple Bugs" project, which promises to feature a new Apple software bug each day in January.
The QuickTime vulnerability relates to how the media player software handles the Real Time Streaming Protocol, or RTSP, according to an advisory published on the Month of the Apple Bugs Web site. An attacker could create a special RTSP string in a rigged QuickTime file that would cause a buffer overflow, according to the advisory.
"The risk is having your system compromised by a remote attacker, who can perform any operation under privileges of your user account," said LMH, the alias of one of the two security researchers behind the Month of the Apple Bugs. "It can be triggered via JavaScript, Flash, common links, QTL files and any other method that starts QuickTime."
The vulnerability affects QuickTime 7.1.3, the latest version of the media player software released in September, on both Apple Mac OS X and Microsoft Windows, according to the Month of the Apple Bugs advisory. Previous versions could also be vulnerable, according to the advisory.
Security-monitoring companies Secunia and the French Security Incidence Response Team, or FrSIRT, rate the QuickTime flaw as "highly critical" and "critical," respectively.
In response to the publication of the QuickTime flaw, Apple spokesman Anuj Nayar said the company always welcomes feedback on how to improve security on the Mac, a standard company statement. Nayar did not comment on the specifics of the flaw or provide any indication of when Apple may deliver a patch.
QuickTime users can protect themselves against the vulnerability by disabling support for RTSP. The SANS Internet Storm Center, which tracks Internet threats, provides instructions on how to do this for both Windows PCs and Macs.
The Month of the Apple Bugs is meant to uncover security flaws in different Apple software and other applications for Mac OS X, according to the project Web site. "We can expect certainly many more critical issues being released during the month," LMH said.
"A positive side effect, probably, will be a more concerned user base and better practices from the management side of Apple," LMH and Kevin Finisterre, an independent security researcher, wrote on the Month of the Apple Bugs Web site.
On Tuesday, LMH and Finisterre published the second bug as part of their project. This time the flaw is not in Apple code but in the VLC Media Player, an open-source program available for Mac OS X and Windows. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution, LMH and Finisterre wrote in an alert.
In November, LMH started the "Month of Kernel Bugs" project, which also included some Apple software bugs. That initiative was inspired by the "Month of Browser Bugs" in July.
