James Delahunty
31 May 2007 19:54
Apple Inc. has fixed more serious security bugs with QuickTime. This time, users tricked into visited malicious webpages could either have their privacy breached or worse, have arbitrary code executed on their computers. The patches released are for both Microsoft's Windows operating systems and the Mac platforms.
The worst of the two involved QuickTime's implementation of Java, which could allow for the manipulation of objects outside what should be allowed by the allocated heap. "By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution," Apple said in this advisory.
The second flaw deals also deals with how QuickTime works with Java, and can lead to a user's web browser information being stolen, possibly putting sensitive information at risk. Apple gave credit to John McDonald, Paul Griswold, and Tom Cross of IBM Internet Security Systems X-Force and Dyon Balding of Secunia Research for reporting the flaws.
Source:
Reg Hardware