Apple on Tuesday released a security patch for two issues in QuickTime 7.1.6 for Mac OS X and Windows.
One flaw is an implementation issue in QuickTime for Java, which can be exploited for remote code execution when a user visits a malicious website containing a specially crafted Java applet, according to Apple. The patch allows OS X to perform additional validation of Java applets.
The other flaw is a design issue in QuickTime for Java, which can be exploited to capture sensitive information.
To take advantage of the flaw, an attacker must entice a user to visit a webpage containing a maliciously crafted Java applet, according to Apple.
The update clears browser memory before allowing it to be used by untrusted Java applets, according to Apple’s advisory.
Secunia said today that the flaw was discovered by Apple.
Tom Cross told SCMagazine.com today that the growing popularity of multi-platform applications could lead to the same code being executed on Windows, OS X and Linux platforms.
"These things affect every operating system that the software can run on, so it’s not just an OS X issue, it’s something that can affect Windows as well," he said. "And these give the attacker a certain degree of flexibility."
Reached today, Apple spokesman Anuj Nayar referred to the company advisory.
SANS Internet Storm Center handler Joel Esler said yesterday on the organization’s diary that some users had been confused as to what version of QuickTime is the most recent. Esler posted that QuickTime 7.1.6 is the current program version, adding that the bulletin is only a security update.
US-CERT advised users install the update and disable Java.
The release marks Apple’s fourth security bulletin of the month. Last week the Cupertino, Calif.-based company released patches for 17 flaws in OS X. It also fixed two critical vulnerabilities in Darwin Streamer Server 5.5.4 on May 10 and a flaw in QuickTime media player that was discovered at CanSecWest in April.
Get more IT security news. Click here for SC Magazine Blogs.