The updates fix 10 QuickTime vulnerabilities and a single bug in iTunes. The flaws affect both Windows and Mac users and have been patched in the and releases, published Monday.

Most of the bugs were not publicly known of before today's updates, so it's unlikely that they were exploited by cyber-criminals. However, it turns out that one flaw -- a bug in the way QuickTime reads files that are compressed using the JPEG 2000 (JP2) compression standard -- was partially disclosed in Charlie Miller and Dino Dai Zovi's book, released in March.

In an interview Monday, Miller said he put instructions for finding the bug in a section of the book that describes how to find flaws in Apple's software. "If you followed all the steps you would find ... the bug," he said. "I didn't show the bug, but I gave the recipe for how to find it."

Miller disclosed during a talk at the CanSecWest conference in March that he had hidden instructions for finding the flaw in his book. After members of Apple's security team approached him at the conference to ask about the issue, he handed over the exploit code, he said Monday.

Coincidentally, another Mac hacker, Damian Put, sold the same flaw one month later to 3Com's TippingPoint division, which also reported the issue to Apple. Although TippingPoint wouldn't say what it paid Put for the flaw, companies typically pay thousands of dollars for bugs like this. Miller and Dai Zovi's book lists for US$50.