Computerworld - Apple on Tuesday patched 15 vulnerabilities in its QuickTime media player for Windows and Mac OS X 10.5, aka Leopard.
The company had patched nine of the bugs in Snow Leopard's version of QuickTime almost a month ago when it updated that edition of Mac OS X to 10.6.5 with a massive 134 fixes.
Two of the 15 affected only QuickTime for Windows; the remaining 13 patched both Leopard's and Windows' QuickTime 7.6.9.
All but one of the 15 were rated "critical" by Apple, which used its usual "May lead to arbitrary code execution" phrase rather than an explicit ranking. Unlike other major developers, such as Google, Microsoft and Oracle, Apple does not assign threat levels to the vulnerabilities it patches.
One noted bug researcher was amazed at the continued cascade of QuickTime flaws.
"OMG, I can't believe how many QuickTime bugs keep being found," said Charlie Miller, a three-time winner at the annual Pwn2Own hacking contest, in a message on Twitter Wednesday. "It's teaspoons from the ocean."
Apple has issued QuickTime security updates four times in 2010, and patched a total of 34 bugs.
As is typically the case with QuickTime, most of the vulnerabilities patched were in code that parsed various media file formats, including FlashPix, GIF and JP2 images; MPEG-encoded movies; and QuickTime panoramas.
Apple stopped updating QuickTime for Mac OS X 10.4, aka Tiger, more than a year ago, and does not officially support the player in the five-year-old operating system.
QuickTime 7.6.9 can be downloaded from Apple's site for Mac OS X, Windows XP, Windows Vista and Windows 7. Mac users can upgrade to QuickTime 7.6.9 using the operating system's built-in Software Update feature, while Windows users can either download the new edition from the Apple site or use the optional Windows update tool.
Mac users running Snow Leopard will not see a separate QuickTime update because fixes were rolled into the security upgrade issued last month.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at 
@gkeizer or subscribe to Gregg's RSS feed 
. His e-mail address is gkeizer@computerworld.com.
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
