In the latest instance, Apple has patched two flaws in the media player. The first is a design error attackers could exploit using Java code to allow the subclassing of QuickTime objects that call unsafe functions from QTJava.dll. The second problem is a design error in how Java applets are handled.
 |
||||
|
|
|||
|
||||
Danish vulnerability clearinghouse Secunia said in an advisory that attackers could exploit the flaws to run malicious code and read browser memory on Windows and Mac OS X systems when a user visits a malicious Web site using a Java-enabled browser.
Secunia said the solution is to install QuickTime 7.1.6.
Earlier this month, Apple fixed a QuickTime flaw that made big headlines after a security researcher used it to hijack a Mac machine as part of a hacking contest at the CanSecWest conference.
The contest was designed to raise awareness of the threats facing Mac users, who tend to see Apple's OS as a more secure alternative to Microsoft Windows and its much-attacked Internet Explorer browser, conference organizers said. But since the contest, researchers have determined that the QuickTime flaw threatens both the Mac and Windows operating systems and that any Java-enabled browser is a viable route of attack, whether it's Safari, Mozilla Firefox or Internet Explorer.
