Apple on Tuesday released a security patch for two issues in QuickTime 7.1.6 for Mac OS X and Windows.The patch was distributed less than a week after Apple released 13 patches for 17 vulnerabilities in OS X.
One flaw is an implementation issue in QuickTime for Java, which can be exploited for remote code execution when a user visits a malicious website containing a specially crafted Java applet, according to Apple. The patch allows OS X to perform additional validation of Java applets.
Apple credited researchers John McDonald, Paul Griswold and Tom Cross of IBM Internet Security Systems and Dyon Balding of Secunia Research for reporting the flaw.
The other flaw is a design issue in QuickTime for Java, which can be exploited to capture sensitive information.
To take advantage of the flaw, an attacker must entice a user to visit a webpage containing a maliciously crafted Java applet, according to Apple.
The update clears browser memory before allowing it to be used by untrusted Java applets, according to Apple’s advisory.
Tom Cross told SCMagazine.com today that the growing popularity of multi-platform applications could lead to the same code being executed on Windows, OS X and Linux platforms.
"These things affect every operating system that the software can run on, so it’s not just an OS X issue, it’s something that can affect Windows as well," he said. "And these give the attacker a certain degree of flexibility."
The release marks Apple’s fourth security bulletin of the month. Last week the company released patches for 17 flaws in OS X. It also fixed two critical vulnerabilities in Darwin Streamer Server 5.5.4 on May 10 and a flaw in QuickTime media player that was discovered at CanSecWest in April.