Terri Forslof, manager of security response at 3Com"s TippingPoint division, which rewarded $10,000 to security researcher Dino Dai Zovi after finding a flaw for Apple"s Safari browser in last week"s CanSecWest security conference, has disclosed that the vulnerability actually lies in the way Apple"s QuickTime Media Player works with the Java programming language. QuickTime runs on both Windows and the Mac, meaning both operating systems can be attacked.
The bug "is the equivalent to a "click and you"re owned" vulnerability," said Forslof. Because the flaw has not been publicly disclosed, it is not considered to be a significant threat to QuickTime users. Dai Zovi, who lives in New York, used a URL to expose the hole. He said he has reported at least eight security vulnerabilities to Apple and has had "nothing but positive interactions" with the company.