In a posting on his Apple Fun blog, LMH described the flaw as a stack overflow error that surfaces when the program handles a malformed "rtsp" URL. To exploit this, attackers could set up a malicious Web site and lure users there. Or, they could trick users into opening a malicious .qtl file.
The French Security Incident Response Team (FrSIRT), which deemed the issue critical, recommended in an advisory that users disable Real Time Streaming Protocol support to mitigate the threat.
Calling the security hole highly critical, Danish vulnerability clearinghouse Secunia recommended in its advisory that users refrain from opening untrusted .qtl files.
This is LMH's second month-long project to expose numerous flaws affecting major computer vendors. In November, he conducted what was called the Month of Kernel Bugs, which was inspired by the Month of Browser Bugs spearheaded by Metasploit Framework creator H.D. Moore last July.