Apple issues QuickTime security patch

Apple Computer issued on a security advisory and fix for a QuickTime flaw early on Saturday.Apple described the flaw as a minor issue, but the company that discovered the vulnerability has classified it as a serious problem.

Apple Computer issued on a security advisory and fix for a QuickTime flaw early on Saturday.

Apple described the flaw as a minor issue, but the company that discovered the vulnerability has classified it as a serious problem.

Apple said the flaw in the QuickTime movie player for Mac OS X could cause the player to crash. "Playing a malformed .mov (movie) file could cause QuickTime to terminate," Apple said in an advisory published on late Friday afternoon.

However, the company that found and reported the flaw to Apple in February, eEye Digital Security, claimed Apple was downplaying the seriousness of the flaw in its advisory. The firm maintained that a movie file could be created that would cause malicious code to execute when the user opened the file.

"We told them that if you are not able to execute code then talk to us, so we can show you the issues," said Marc Maiffret, chief hacking officer for eEye Digital Security.

An Apple representative could not be reached for comment.

Since movie files are not generally thought to carry code, the flaw could be used to disguise a virus or Trojan horse program and lure unsuspecting Mac users into running the program.

Apple released an update to QuickTime earlier Friday morning but didn't publish a security advisory until eEye discovered that Apple had patched the security flaw in the software update. When the company contacted Apple, the computer maker agreed to issue a security advisory as well.

"You just can't put out a patch without an advisory, because then the bad guys will look at the binary and find the flaw," said Maiffret. "You need to tell people, or else you are doing your customers a disservice."

Unlike a previously discovered spoofing technique, the QuickTime issue actually involves a security flaw in the program. Apple released patches for several other vulnerabilities earlier this month.

The patch for the problem can be downloaded from Apple's download site or through the Mac OS X's automatic update service.