Another iTunes and QuickTime flaw?

A serious security vulnerability exists in Apple Computer's iTunes and QuickTime software, bug hunter Tom Ferris reported on his Security-Protocols.com Web site Friday.

"The vulnerability allows an attacker to reliably overwrite heap memory with arbitrary data in order to execute arbitrary code on a targeted host," Ferris wrote.

An attacker could commandeer a computer running Windows or Mac OS X by tricking a user into opening a malicious media file, Ferris said in an interview. The problem was reported to Apple on Friday, he said.

To limit risk to users of the vulnerable software, Ferris won't disclose further details of the flaw until Apple provides a fix, he said. "Once they release the patch, I will release a full blown advisory," he said.

On his Web site, Ferris offers a screenshot of a QuickTime player that has crashed on a Windows XP machine as proof of the bug.

Word of the QuickTime and iTunes flaw comes a day after eEye Digital Security issued an alert on flaws in RealPlayer.

Cybercriminals are shifting their attacks from operating systems such as Windows to media players and other applications, the SANS Institute said recently. (Download PDF.)