An attacker could commandeer a vulnerable computer by tricking a user into opening a malicious ".mov" media file, the bug hunter said in an advisory posted on his Security-Protocols.com Web site late on Tuesday.
"The vulnerability allows an attacker to cause the program to crash and could allow the execution of arbitrary code," Ferris said. "The flaw exists in all current and earlier versions of iTunes and QuickTime."
Security-monitoring company Secunia rates the issue "moderately critical", while the French Security Incident Response Team, a research outfit, tags it "critical". Apple did not respond to a request seeking comment.
Ferris said he reported the problem to Apple earlier this month. On 2 December, he posted only a snippet of information on the flaw on his Web site, followed Tuesday by a complete security advisory, including examples of malformed media files that cause iTunes and QuickTime to crash.
Media player flaws are nothing new. Cybercriminals are shifting their attacks from operating systems such as Windows to media players and other applications, the SANS Institute said recently. Apple has had to fix flaws in its software before. eEye Digital Security earlier this month issued an alert on flaws in RealNetworks' RealPlayer.
For protection, Ferris' recommends that computer users don't open media files, or any file for that matter, from untrusted sources.
