Apple struggles to fix critical glitch

Serious flaws in Mac OS X and QuickTime software could put Macintosh and Windows systems at risk of cyber attack, Apple has warned.

In a pair of security alerts released on Thursday, Apple outlined 31 flaws that affect various versions of the operating system and a dozen vulnerabilities in its QuickTime media player software. Security experts have deemed the issues "critical" but Apple does not provide a severity rating. Fixes are available.

The Mac OS X vulnerabilities lie in various components of the operating system and affect both the server and client versions, Apple said in an advisory. An attack could be launched using some of the bugs by creating a malformed file, or by building a malicious website and enticing someone to visit it, the company said.

The French Security Incident Response Team, a security-monitoring company, said in an advisory: "These flaws could be exploited by attackers to execute arbitrary commands, bypass security restrictions, disclose sensitive information or cause a denial of service."

The patches indicate Apple is having a hard time completely resolving a security flaw that surfaced earlier this year. They fix an issue in the "download validation" function, a feature designed to protect Mac users from installing harmful code from a malicious website or email - a risk more familiar to Windows users.

Apple added the function in a security update released in early March. Two weeks later, it issued another update to fix some problems with the feature. Thursday's fix tackles another issue: the download validation may be bypassed if a file has a long name, Apple said.

Critics have argued the download validation function is not enough to address the installation risk, and that Apple needs to correct the problem at a lower level in the operating system.

The QuickTime flaws put both Mac OS X and Windows computers at risk of compromise. All of the vulnerabilities exist because of errors in the way the media player software handles certain files. Specially crafted files in certain media formats - including AVI, Flash, JPEG, MPEG4 and QuickTime - could allow an intruder to hijack a vulnerable system, Apple said in an advisory.

Apple's security update 2006-003 for Mac OS X and the QuickTime patch can be downloaded and installed via Software Update preferences or from the Apple Downloads website.

Joris Evers writes for CNET News.com