The vulnerability is related to how QuickTime handles Java, said security researcher Dino Dai Zovi. An attacker can, he said. Initial reports were that the flaw was in Safari, Apple's Web browser.
"It is a vulnerability within QuickTime. Safari and Firefox on Mac OS X are vulnerable," Dai Zovi said. QuickTime is also widely used on Windows machines, so Windows users may also be at risk, he said. "At this time, Firefox on Windows is considered at risk," Dai Zovi said.
Security monitoring company Secunia deems the flaw "highly critical," one notch below its most serious rating. "This can be exploited to execute arbitrary code when a user visits a malicious Web site," Secunia said. Apple's was in March.
Shane Macaulay, a software engineer and a friend of Dai Zovi's, hacked into a MacBook using the QuickTime security hole on Friday. The computer was one of two offered as a prize in the at the CanSecWest conference in Vancouver, British Columbia.
The successful attack on the second and final day of the contest required a conference organizer to surf to a malicious Web site using Safari on the MacBook--a type of attack.
Apple has declined to comment on the MacBook hack specifically, but spokeswoman Lynn Fox last week provided Apple's standard security comment: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users," she said.
Further details on the flaw are being kept confidential until Apple patches it. Dai Zovi has submitted the vulnerability to TippingPoint's. TippingPoint, which sells intrusion prevention systems, had offered a $10,000 prize for a Mac zero-day vulnerability to make the CanSecWest contest more appealing to hackers.
"TippingPoint has offered to purchase the vulnerability and I have agreed, payment is pending," Dai Zovi said.
Disabling Java in a browser shields a computer against attacks that exploit the flaw, Dai Zovi said. Macs are vulnerable by default because Apple ships QuickTime with the operating system. Windows users are only vulnerable if QuickTime is installed.