Free WiFi Hotspot Locator from TechNewsWorldApple (Nasdaq: AAPL) 
released a fix Tuesday to patch a critical flaw in its QuickTime media player.
The patch came 23 days after the "Month of Apple Bugs" (MOAB) blog revealed the vulnerability to the public. The MOAB blog, which has pledged to publish an Apple software-related bug every day during the month of January, claimed that the flaw has already been successfully exploited.
The vulnerability affects the way the software handles the Real Time Streaming Protocol (RSTP) URL handler, wrote Kevin Finisterre and another researcher identified only as LMH, who both run the MOAB blog and discovered the flaw.
An attacker who supplies "a maliciously-crafted RTSP URL" can trigger a buffer overflow that could lead to arbitrary code execution, Apple confirmed in an alert to QuickTime users.
The flaw affects QuickTime version 7.1.3 for both the Mac and Windows 
and, according to MOAB, users of earlier versions of the software are also at risk.
"This appears to be a very serious bug, not only based on the widespread deployment of QuickTime but due to the ratings of other security vendors," said Rob Ayoub, an analyst at Frost and Sullivan.
No Working Relationship
MOAB is the third "Month of" project from Finisterre and LMH. Previous bug-finding efforts have dealt with Internet browsers and kernel bugs. While flaw-finding projects like MOAB provide a service, they also raise legitimate concerns for both the vendors whose products are being probed and the general Internet community, said Graham Cluley, senior analyst at Sophos , a security firm.
The flaw, Cluley said, should be considered highly critical, and it is good news that Apple has issued a patch. It took the Cupertino, Calif.-based software maker 23 days to issue the patch, Cluley said, because of the complexity of issuing a fix for both Macs and PCs.
However, by making the details of the vulnerability public instead of working with Apple on a responsible disclosure for the vulnerability alongside the availability of a patch, computer users may have been put at unnecessary risk, Cluley continued.
"I think these projects have their place in exposing flaws that have had adequate time to be patched and have not [been]," Frost and Sullivan's Ayoub added. "Unfortunately, I believe that most of these [bug-finding projects] are going around the software makers and are a threat to the public, as they do not allow adequate time for a patch to be created and tested."
"The best that companies can do is keep their fingers crossed that vendors will act rapidly and that the bug hunters will work more closely with software developers in the future to coordinate responsible disclosure," Cluley said.
When asked how Apple views these projects, spokesperson Anuj Nayar said the company "always welcomes feedback on how to improve security on the Mac."
"Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users," Nayar added.
Blemished Apple
MOAB creators may have thought that the month-long project would convince many Mac users to reconsider their beliefs that the machines are relatively bug-free. However, Ayoub said most users will not draw that conclusion.
"As we have seen hesitation in home users updating their Windows machines, I believe we will continue to see the same for Apple users. I think MOAB may raise the awareness of flaws for security professionals, but I feel it will have little effect on the perceptions of home users," he explained
Anyone involved in IT already knows that Macs are not invulnerable to bugs and flaws, said Sophos' Cluley. "So it is not, in our opinion, necessary to go on a public bug hunt to bring the issue to light amongst users."
Talkback: 
