For the second time in a month, Apple Inc. has been forced to fix a QuickTime flaw attackers could exploit to access sensitive system data and run malicious code.
In the latest instance, Apple has patched two flaws in the media player. The first is a design error attackers could exploit using Java code to allow the subclassing of QuickTime objects that call unsafe functions from QTJava.dll. The second problem is a design error in how Java applets are handled.
Danish vulnerability clearinghouse Secunia said in an advisory that attackers could exploit the flaws to run malicious code and read browser memory on Windows and Mac OS X systems when a user visits a malicious Web site using a Java-enabled browser.
Secunia said the solution is to install QuickTime 7.1.6.
Earlier this month, Apple fixed a QuickTime flaw that made big headlines after a security researcher used it to hijack a Mac machine as part of a hacking contest at the CanSecWest conference.
The contest was designed to raise awareness of the threats facing Mac users, who tend to see Apple's OS as a more secure alternative to Microsoft Windows and its much-attacked Internet Explorer browser, conference organizers said. But since the contest, researchers have determined that the QuickTime flaw threatens both the Mac and Windows operating systems and that any Java-enabled browser is a viable route of attack, whether it's Safari, Mozilla Firefox or Internet Explorer.