A heap overflow affecting QuickTime for Java can lead to arbitrary code execution, while a second issue addresses a memory leak from QuickTime for Java, which can allow a remote user to read arbitrary sections of the browser memory (potentially disclosing sensitive data in the browser).

Description:

Apple have released an updated version of the QuickTime media codec to address two serious issues with QuickTime for Java support. The vulnerabilities can lead to a remote attacker being able to take control of a vulnerable system in the worst case, and allow remote attackers to gain access to sensitive information in the second case.

Mitigation:

Update to QuickTime 7.1.6 as soon as possible, either via the Product Updates link, or via the Software Update application (Apple Menu->Software Update)

Updates:

http://www.apple.com/support/downloads/

Source:

http://docs.info.apple.com/article.html?artnum=61798

Exploits:

CVE-ID: CVE-2007-2388 CVE-ID: CVE-2007-2389