Tuesday, May 29, 2007, 04:40 pm

Apple patches two critical QuickTime for Java flaws

By AppleInsider Staff

On the heels of last week's Mac OS X security update, Apple on Tuesday released another software patch that the company is recommending for all users of its latest QuickTime media software.

Security Update (QuickTime 7.1.6)

The release, available as a 1.4MB download for Macs and 1.1MB download for Windows PCs, patches two open gashes in the version of QuickTime for Java that ships with QuickTime 7.1.6.

In particular, Apple said a design issue exists in the Java software which may allow a web browser's memory to be read by a Java applet. Therefore, by enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information from recent browser sessions. Apple said it has addressed the issue in the security update by clearing memory before allowing it to be used by untrusted Java applets.

Meanwhile, the Mac maker said a second implementation issue discovered in QuickTime for Java may allow malicious websites to trigger arbitrary code execution. The company said the update addresses the issue by performing additional validation of Java applets.

Security Update 2007-005

The QuickTime for Java fix comes just five days after Apple released Security Update 2007-005 for both its Mac OS X Tiger (15.7MB download for PowerPC Macs, 29.2MB download for Intel Macs) and Mac OS X Panther operating systems (56MB download for Panther Server and 42.5MB download for Panther client).

For Tiger users, the security updated patched issues with bind, CarbonCore, CoreGraphics, crontabs, fetchmail, file, iChat, mDNSResponder, PPP, ruby, screen, texinfo, and VPN.

For Panther users, the update addresses issues with bind, CarbonCore, crontabs, fetchmail, file, iChat, ruby, screen, texinfo, and VPN.