The vulnerability is caused by an error in the way Apple QuickTime handles Java. It can be exploited if a user visits a malicious Web site, running a Java-enabled browser. Researchers said that includes Microsoft's Internet Explorer, along with Mozilla's Firefox and Apple's Safari browser. The bug also affects Windows Vista through Internet Explorer 7.
Dmitri Alperovitch, principal research scientist at Secure Computing, said the bug also could be exploited through e-mail, either through links to malicious Web sites or by using HTML code in the e-mail that will trigger QuickTime to launch.