Apple is recommending that all QuickTime users--both on Windows and Mac OS X--download its update for Version 7.1.6 to fix <A HREF="http://www.eweek.com/article2/0,1895,2138731,00.asp?kc=EWKNLNAV053107STR2">a pair of security glitches.</A> The company posted the updates on May 29.
One of the first two problems, in QuickTime for Java, can lead users to having their systems hijacked if they visit a malicious site. The flaw can allow instantiation or manipulation of objects outside of the bounds of the allocated heap. If a user gets lured to a site containing a maliciously crafted Java applet, an attacker can trigger the vulnerability and take over the target system.
The second glitch also is related to QuickTime for Java in that a Web browser's memory can be read by a Java applet. Like the other problem, a user has to visit a site with a maliciously crafted Java applet. Upon luring a victim to such a site, an attacker can take advantage of the vulnerability and thereby may be able to read sensitive information off the victim's system.