Apple waited three weeks to patch several bugs in its popular Quicktime video player, mirroring Microsoft’s behavior with its ubiquitous Windows operating system.

The new patch released Thursday, brings Quicktime to version 7.3.1 and corrects a problem with the real-time streaming protocol.

Hackers could exploit the flaw by convincing users to visit web sites that contained malicious streaming content, or by getting users to open a corrupt QTL file sent as an e-mail attachment.

According to ComputerWorld, researcher Krystian Kloskowski first discovered the flaw on November 23 using Windows XP SP2 and Vista, and it was confirmed by other analysts within days that the Mac version of Quicktime was also buggy.

By November 29, Symantec warned that the exploit code for Max had been published.

Finally on December 13, Apple issued a patch to correct the problem.

Quicktime also harbored other security holes according to ComputerWorld, “including a buffer overflow bug in the QuickTime movie file format and an unspecified number of flaws in QuickTime’s handling of Flash files”

Apple’s response was to cut out the Flash functionality from Quicktime, rather than correct the handling protocols. This follows the company’s previous decision to disable Java functionality.

Quicktime commands a large audience of users, including the masses that download it as a bundled package with iTunes. When considering that many people, correcting program flaws like this become critical to improving safety on the web.

The same theme is apparent with Microsoft when it releases patches in batches instead of live. Companies who create a platform product like Windows or Quicktime have a responsibility to keep their users safe, but they may lack the right incentive.

That means the best defense is still common sense.

Related:

Entry was posted on Saturday, December 15th, 2007 at 3:39 pm under Apple, Security.

Read more entries by Matt Jansen.
Stumble It!