The Apple patch is the first one to directly address a bug found during the "Month of Apple Bugs" publicity project which started on January 1. Apple has not credited the project in their security bulletin, likely because the researchers refused to notify Apple prior to releasing details of the vulnerability.
The Month of Apple Bugs (MOAB) project is controversial and the site is peppered with defiant comments and some indignation towards the critical issue of responsible disclosure - a subtle yet important process known as notifying the vendor before releasing details of a new vulnerability.
On the Apple vulnerabilities, the project's FAQ states, "...the point is releasing them without vendor notification. [...] The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."
No specific examples of long response times by Apple have been provided by the researchers on the project site, however.
The project has received criticism and mixed reviews from across the security community for downplaying the need for responsible disclosure, and some believe the publicity may in fact make it harder for security researchers to legitimize their work.
In a related project that was previously reported, software engineer and Mac user Landon Fuller, of game maker Three Rings Design, has been developing and releasing his own patches to the vulnerabilities found in the MOAB project. Fuller's patches use the free Application Enhancer software on OS X to provide patches for the Mac until official Apple patches appear. Windows users remain vulnerable until the official patches are released by Apple.
All Quicktime users on Windows and Mac OS X should read the security bulletin and download the patch for their platform.
Posted by: Kelly Martin