Apple on Wednesday patched eight flaws in its QuickTime media player.
Seven of the flaws allow remote code execution attacks, while the other enables the disclosure of sensitive information.
The patches released in Apple’s first bulletin of the month — and 19th security-related distribution of the year — are available for Mac OS X versions 10.3.9 and later, 10.4.9 and later and Windows Vista and XP with Service Pack 2 installed.
While seven of the flaws allow an attacker to take over a system via remote code execution, three vulnerabilities allow arbitrary code execution by viewing a malicious website. The three easily exploitable vulnerabilities are caused by design issues in QuickTime for Java.
The Cupertino, Calif.-based technology giant credited researcher Adam Gowdiak for reporting the three issues that can be exploited by viewing a malicious webpage.
Other newly patched flaws can be used to infect a system via malicious files, including H.264 movies and .mv4v and SMIL files, according to Apple's advisory.
Apple also disclosed a flaw that can be exploited to gain screenshots when a user visits a website that contains a maliciously crafted Java applet.
Dave Marcus, security research and communications manager at McAfee Avert Labs, told SCMagazine.com today that many QuickTime flaws have been discovered, but they rarely lead to attacks.
"We’ve seen QuickTime and QuickDraw vulnerabilities for years. Avert Labs disclosed 30 of them in 2006 alone," he said, adding that administrators should patch the flaws hastily because of the low level of user interaction required for exploitation. "But I don’t recall any big malware outbreaks because of them."
Click here to email Online Editor Frank Washkuch.