Apple has released a patch for the QuickTime vulnerability found during a recent $10,000 hack-the-Mac contest.
“By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution,” Apple said in its description of the problem.
Apple credits Dino Dai Zovi, who won the $10,000 in a Mac hacking contest at the CanSecWest security conference in Vancouver about two weeks ago, for reporting the flaw. The contest originally challenged conference attendees to break into a Mac that wasn’t running any programs. When no one managed to do so, the contest allowed participants to try to break in through the browser. Dai Zovi was the first to succeed.
Apple also credits 3Com's TippingPoint division, which put up the $10,000 prize, and the Zero Day Initiative for help in reporting the issue.
Because the flaw lies in QuickTime, which is also used by Microsoft’s Internet Explorer and Mozilla’s Firefox browsers, PC users are also vulnerable.