Publication of yet-to-be-patched QuickTime vulnerability kicks off month in which researchers will publish an Apple software bug each day.
The publication on Monday of the vulnerability and detailed attack code kicks off the "" project, which promises to feature a new Apple software bug each day in January.
The QuickTime vulnerability relates to how the media player software handles the Real Time Streaming Protocol, or RTSP, according to an advisory published on the Month of the Apple Bugs Web site. An attacker could create a special RTSP string in a rigged QuickTime file that would cause a buffer overflow, according to the advisory.
The vulnerability affects QuickTime 7.1.3, the latest version of the media player software released in September, on both Apple Mac OS X and Microsoft Windows, according to the Month of the Apple Bugs advisory. Previous versions could also be vulnerable, according to the advisory.
Security-monitoring companies Secunia and the French Security Incidence Response Team, or FrSIRT, rate the QuickTime flaw as "highly critical" and "critical," respectively.
In response to the publication of the QuickTime flaw, Apple spokesman Anuj Nayar said the company always welcomes feedback on how to improve security on the Mac, a standard company statement. Nayar did not comment on the specifics of the flaw or provide any indication of when Apple may deliver a patch.
QuickTime users can protect themselves against the vulnerability by disabling support for RTSP. The SANS Internet Storm Center, which tracks Internet threats, provides instructions on how to do this for both Windows PCs and Macs.
The Month of the Apple Bugs is meant to uncover security flaws in different Apple software and other applications for Mac OS X, according to the project Web site. "We can expect certainly many more critical issues being released during the month," LMH said.
"A positive side effect, probably, will be a more concerned user base and better practices from the management side of Apple," LMH and Kevin Finisterre, an independent security researcher, wrote on the Month of the Apple Bugs Web site.
On Tuesday, LMH and Finisterre published the second bug as part of their project. This time the flaw is not in Apple code but in the VLC Media Player, an open-source program available for Mac OS X and Windows. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution, LMH and Finisterre wrote in an alert.
In November, LMH started the "Month of Kernel Bugs" project, which also included some Apple software bugs. That initiative was inspired by the "Month of Browser Bugs" in July.