Security researchers say that the attack code targeting an unpatched bug in Apple Inc.'s QuickTime has gone public and added that attacks against systems running Windows XP and Vista are likely to start emerging.

The critical bug in QuickTime 7.2 and 7.3 (and potentially earlier editions) is in the player's Real Time Streaming Protocol (RTSP), a audio/video streaming standard. According to alerts posted by Symantec Corp. and the U.S. Computer Emergency Readiness Team (US-CERT), attackers can exploit the flaw by duping users into visiting malicious or compromised Web sites hosting specially-crafted streaming content, or by convincing them to open a rigged QTL file attached to an e-mail message.

Kloskowski and an unnamed researcher identified as "InTeL" had followed up with separate proof-of-concept examples that executed on Windows XP SP2 and Windows Vista machines running QuickTime 7.2 or 7.3.

A successful exploit would let the attacker install additional malware -- spyware or a spambot, say -- or cull the system for information like passwords. An attack that failed would likely only crash QuickTime.

Apple's forgetfulness prompted Symantec analyst Anthony Roe to note: "This makes reliable exploitation of the vulnerability a lot easier."

Another Symantec researcher, Patrick Jungles, added that QuickTime vulnerabilities usually draw attackers quickly. "In the past, we have seen a very short period of time between the release of proof-of-concept exploits for QuickTime vulnerabilities and the development of working exploits by attackers," said Jungles in a note to customers of his company's DeepSight threat management service. "Popular applications such as QuickTime are strong candidates for exploitation in the wild."

Apple last patched QuickTime less than three weeks ago, when it released Version 7.3 to fix a number of critical image-rendering and Java-related vulnerabilities. So far in 2007, Apple has issued six QuickTime security-related updates that have fixed a total of 31 flaws.