A project aimed at disclosing Apple bugs throughout January has revealed its first serious flaw in QuickTime software that could leave Windows and Mac users open to attacks by malicious websites.

The QuickTime flaw launches the Month of Apple Bugs (MOAB), which follows on from efforts such as the Month of Kernel Bugs and the Month of Browser Bugs. The bug was discovered by an anonymous MOAB organiser, known -only as LMH.

The flaw affects any Windows or Mac OS X bug with QuickTime Player version 7.1.3 installed, but previous versions are also probably vulnerable. The problem lies in the way QuickTime handles addresses beginning with "rtsp://", and can be exploited to create a stack-based buffer overflow using HTML, Javascript or a QTL file, LMH said.

The attack can execute malicious code and take over a system. "Exploitation of this issue is trivial," LMH wrote. He supplied a working exploit, which makes the problem all the more dangerous.

The problem hasn't been patched yet. Possible workarounds include uninstalling QuickTime and disabling the rtsp:// handler.

Security advisors, Secunia and FrSIRT both agreed the bug poses an immediate threat.