Apple has issued a patch to close the QuickTime security hole recently identified by hackers.
QuickTime 7.1.6 is available for Mac and Windows systems and prevents the flaw, in which visiting a malicious website may lead to arbitrary code execution.
Apple described the weakness as an implementation issue in QuickTime: “By enticing a user to visit a webpage containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution,” Apple said in its description of the problem.
The update addresses this by performing additional checks when creating "QTPointerRef objects," the company said. "Credit to Dino Dai Zovi working with TippingPoint and the Zero Day Initiative for reporting this issue," it added.
Dino Dai Zovi won $10,000 in a Mac hacking contest initiated at the CanSecWest security conference in Vancouver about two weeks ago, for reporting the flaw.
It's interesting to note that the competition originally challenged conference attendees to break into a Mac that wasn’t running any applications. When no one was able to achieve this, the contest was changed to allow hackers taking part to attempt a break-in using Safari.
The security update is available for: Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2, Windows 2000 SP4.
The Mac version of the update also delivers numerous bug fixes, addresses a critical security issue with QuickTime for Java and includes support for: Final Cut Studio 2 and Timecode and closed captioning display in QuickTime Player.