Security flaws in Apples popular digital media products are beginning to add up.
Researchers at eEye Digital Security have pinpointed two high-risk vulnerabilities in iTunes and QuickTime that could put millions of Windows and Mac users at risk of code execution attacks.
Aliso Viejo, Calif.-based eEye issued two alerts on its upcoming advisories Web page to warn of heap overflows and integer overflows in the two Apple products.
Apples iTunes is a wildly popular online media service that sells music downloads and QuickTime is the companys flagship media player.
eEye said the vulnerabilities affect QuickTime/iTunes on Windows NT, Windows 2000, Windows XP and Windows Server 2003. Mac OS X users are also vulnerable to the code execution attacks.
Apple does not comment on potential security vulnerabilities in its products until a fix is available. eEye only releases basic information on the existence of the bugs but withholds technical details until a patch is ready.
In the meantime, users are urged to avoid clicking on untrusted media files.
The latest flaw discoveries come at a sensitive time for Apple. The company is under intense scrutiny after the recent release of exploit code for a Safari browser flaw and the discovery of two pieces of malware affecting Mac OS X users.
On March 1, Apple shipped a Mac OS X security update with patches for more than a dozen security vulnerabilities. The monster update included five patches for Safari, including an “extremely critical” flaw that could cause remote code execution attacks if a user simply viewed a maliciously rigged Web page.