Once again, there's a new version of QuickTime media player, and if you know what's good for you, you'll install it soon, whether you use Windows or OS X.

Apple issued QuickTime 7.3 on Monday to nix seven bugs that left users vulnerable to online miscreants. Six of the flaws made it possible for attackers to remotely run malicious software on a victim's PC. A seventh, which resided in QuickTime for Java, could allow untrusted Java applets to run with elevated privileges, Apple said in a security advisory (http://lists.apple.com/archives/security-announce/2007/Nov/msg00000.html) on its website.

As Apple's popularity has surged over the years, so too has its appeal to organized criminals. Last week a supplier of security products to Mac users detailed a sophisticated Trojan lurking in the wild (http://www.theregister.co.uk/2007/10/31/in_the_wild_osx_trojan/) that causes OS X users to see spoofed web pages when trying to access eBay and other commerce-related destinations.

QuickTime has long been an attractive target because it is widely installed on a variety of Windows and Mac operating systems. The last major security overhaul for QuickTime came in July, when Apple fixed eight security holes. Last month (http://www.theregister.co.uk/2007/10/04/windows_quicktime_update/), the company also patched a Windows-only hole that allowed attackers to inject malicious code onto vulnerable systems. The vast majority of QuickTime attacks require a victim to be tricked into clicking on a malicious link first.

Apple credited a variety of sources for discovery of the latest flaws. They included Adam Gowdiak and employees of 48bits.com (http://blog.48bits.com/), trapkit.de (http://trapkit.de/), Adobe and reversemode.com (http://reversemode.com/) working with TippingPoint and the Zero Day Initiative. ®

Related stories

Mac lambs line up for slaughter (16 January 2008)
http://www.theregister.co.uk/2008/01/16/mac_malware_concern/
Media player users beware: more vulns ahead (10 December 2007)
http://www.theregister.co.uk/2007/12/10/3ivx_mp4_vuln/
Latest QuickTime Exploit targets both Macs and PCs (29 November 2007)
http://www.theregister.co.uk/2007/11/29/new_quicktime_exploit/
Hacker defaces temples to OS X (27 November 2007)
http://www.theregister.co.uk/2007/11/27/mac_site_defacer/
QuickTime streaming media exploit targets unpatched bug (26 November 2007)
http://www.theregister.co.uk/2007/11/26/quicktime_exploit/
Leopard security bug puts Mail users at risk (20 November 2007)
http://www.theregister.co.uk/2007/11/20/leopard_reintroduces_security_vuln/
With one bound, Apple is free of 54 security bugs (15 November 2007)
http://www.theregister.co.uk/2007/11/15/behemoth_apple_patch_batch/
Macs seized by porn Trojan (31 October 2007)
http://www.theregister.co.uk/2007/10/31/in_the_wild_osx_trojan/
Apple patches Windows QuickTime bug (4 October 2007)
http://www.theregister.co.uk/2007/10/04/windows_quicktime_update/
Security maven: QuickTime flaw threatens PCs, Macs (12 September 2007)
http://www.theregister.co.uk/2007/09/12/quicktime_vulnerability_attacks_firefox/
Apple TV gets its first critical security patch (20 June 2007)
http://www.theregister.co.uk/2007/06/20/critical_appletv_patch/
Apple plugs holes in new Safari beta (14 June 2007)
http://www.theregister.co.uk/2007/06/14/safari_holes_plugged/
Apple plugs two QuickTime holes (30 May 2007)
http://www.theregister.co.uk/2007/05/30/latest_quicktime_security_patch/
Apple patches more than a dozen holes in OS X (25 May 2007)
http://www.theregister.co.uk/2007/05/25/osx_security_update/
Apple patches security hole in QuickTime (2 May 2007)
http://www.theregister.co.uk/2007/05/02/apple_quicktime_patch/
QuickTime, not Safari, to blame for MacBook vuln (25 April 2007)
http://www.theregister.co.uk/2007/04/25/quicktime_vuln_fells_mac/
Apple QuickTime update lances multiple bugs (6 March 2007)
http://www.reghardware.co.uk/2007/03/06/apple_quicktime_update/