Apple posted a security update for its QuickTime media technology yesterday. The update fixes two issues found with the application that could allow an outsider to execute code and disclose sensitive information.
According to Apple the first issue is with an implementation problem in QuickTime for Java, "which may allow instantiation or manipulation of objects outside the bounds of the allocated heap". When a user goes to a web page containing a maliciously crafted Java applet, a hacker could trigger the flaw leading to arbitrary code execution.
This issue has been fixed by performing additional validation of Java applets.
The second issue may lead to the disclosure of sensitive information. Again, using an issue with QuickTime for Java, this flaw could allow a web browser's memory to be read by a Java applet. This update addresses the issue by clearing memory before allowing it to be used by Java applets.
Security Update (QuickTime 7.1.6) 1.0 is available via the Software Update mechanism in Mac OS X.