For the second time this month and the fourth time this year, Apple has patched its QuickTime media player to close critical holes.
The security update for QuickTime 7.1.6 comes on the heels of a 17-patch collection for Mac OS X and fixes two bugs in the software's handling of Java. One of the pair could result in what Apple traditionally calls "arbitrary code execution", which means that an attacker could hijack the computer. "By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue," Apple's advisory warned.
The second vulnerability, Apple said, could give an attacker access to data in the computer's memory, which might include sensitive or confidential information such as passwords for logging onto a network or web site.
On 1 May, Apple released new versions of QuickTime for both Mac OS X and Windows to plug a hole uncovered during the highly publicised $10,000 (£5,000) hack challenge at the CanSecWest security conference in British Columbia. Before the hacking contest bug fix, Apple had issued QuickTime security updates on 5 March and 23 January.
Earlier this month, security company Secunia released data that showed one in three installed copies of QuickTime were not fully patched, making it three times more likely to pose a threat than Internet Explorer and six times more likely than Firefox.
In an alert of its own, Symantec said that the vulnerabilities might be attractive to attackers because they affect both Macs and Windows-based PCs.
Apple's patches apply to both the Mac OS X and Windows versions of QuickTime, and they can be downloaded from the company's site manually. Mac users can retrieve them with the operating system's Software Update feature or use the optional Apple Software Update utility on Windows.