Secunia released an advisory today for a QuickTime vulnerability exposed when researcher Shane Macaulay hacked into an MacBook Pro at CanSecWest last week.
Macaulay won a MacBook, and his partner Dino Dai Zovi earned $10,000, for displaying the flaw. In the process, he exposed a vulnerability in Apple’s QuickTime media player that can be exploited on any Java-enabled browser.
The flaw is caused by an unspecified error within QuickTime’s Java handling and exists on Safari, Firefox and any Java-enabled browser. It can be exploited by attackers to execute arbitrary code, according to Secunia, which ranked the flaw as "highly critical."
The advisory warned that other browsers may be affected as well, and urged end users to disable Java support and avoid untrusted websites.
Secunia also credited Dai Zovi with discovering the flaw.
She said the QuickTime flaw was not patched in Apple’s latest round of security updates, released last week.
Click here to email Online Editor Frank Washkuch Jr.