Apple has patched a vulnerability in QuickTime that could give a hacker control over a computer three weeks after it was first exposed.
The problem is a buffer overflow that can occur when QuickTime processes a RTSP (Real Time Streaming Protocol) URL, which directs the player to a streaming file and allows a user to play and pause it.
A hacker could create a malicious RTSP URL embedded in a Web page that opens a door for other harmful code to run on a machine, Apple said. The patch comes more than three weeks after researchers who are part of the Month of Apple Bugs (MOAB) project published exploit code.
Danish security vendor Secunia has labelled the problem critical. Apple said the problem affects QuickTime 7.1.3 on Mac OS X 10.3.9, Mac OS X Server 10.3.9, Mac OS X 10.4.8, Mac OS X Server 10.4.8 and Windows XP and 2000.
The patch is available through Apple's download page, or through Apple's Software Update service.
Last month, hackers exploited a feature in QuickTime and used it in combination with a cross-scripting problem on MySpace.com to create a virulent worm that quickly spread on the social networking website. The worm distributed advertising software and stole login credentials. Apple issued a fix that blocked the code.