The security hole used to breach a MacBook in a hack-a-Mac competition last week lies in Apple's QuickTime media player, the flaw finder said Tuesday.

The vulnerability is related to how QuickTime handles Java, said security researcher Dino Dai Zovi. An attacker can exploit the bug through Safari or Firefox, he said. Initial reports were that the flaw was in Safari, Apple's Web browser.

"It is a vulnerability within QuickTime. Safari and Firefox on Mac OS X are vulnerable," Dai Zovi said. QuickTime is also widely used on Windows machines, so Windows users may also be at risk, he said. "At this time, Firefox on Windows is considered at risk," Dai Zovi said.

Mac hacked through QuickTime flaw [news.com.com]