One of the first two problems, in QuickTime for Java, can lead users to having their systems hijacked if they visit a malicious site. The flaw can allow instantiation or manipulation of objects outside of the bounds of the allocated heap. If a user gets lured to a site containing a maliciously crafted Java applet, an attacker can trigger the vulnerability and take over the target system.
The second glitch also is related to QuickTime for Java in that a Web browsers memory can be read by a Java applet. Like the other problem, a user has to visit a site with a maliciously crafted Java applet. Upon luring a victim to such a site, an attacker can take advantage of the vulnerability and thereby may be able to read sensitive information off the victims system.
This is the second time this month that Apple has fixed QuickTime holes. Earlier in May, Apple patched the QuickTime hole that allowed hackers at the CanSecWest security show to take over a MacBook Pro in a Pwn-2-Own contest on April 20.
That earlier hole was a serious one: Terri Forslof, manager of security response at TippingPoint, compared it to the Windows animated cursor vulnerability in terms of impact and the possibility of system hijacking to which both flaws can lead.
"The method of attack is the same as what Microsoft calls Click and youre owned. You get an e-mail, visit a malicious Web site and boom, youre owned. Where theres still that one-step user interaction, its still a serious vulnerability. Anytime you illegally break into a machine, its a hack," Forslof said at the time.
As in one of the two QuickTime flaws that Apple fixed on May 29, the pwn-2-own hole fixed earlier in the month involved a problem with implementation of QuickTime for Java that allowed reading or writing out of the bounds of the allocated heap, and it also worked by enticing a user to visit a site containing a maliciously crafted Java applet.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.