Apple has released a QuickTime security update which patches eight vulnerabilities, including seven which could be used for remote code execution. 

The update applies to QuickTime for Mac OS 10.3.9, 10.4.9 or later, as well as Windows XP and Vista.

Seven of the vulnerabilities allow for remote code execution, meaning that a successful exploit could allow an attacker to install malware or take control of a target system.

The French Security Incident Response Team has classified the update as 'critical', the organisation's highest alert level. Security vendor Secunia classified the update as 'highly critical', the fourth of its five alert levels. 

Apple has apparently known about some of the flaws since last year. Security researcher Tom Ferris, who was credited with discovering two of the flaws, claims to have notified the company of one in April 2006 and another in November 2006. 

As company policy, Apple does not publicly acknowledge any vulnerabilities until a patch has been released.

Four of the remote code execution vulnerabilities were found in QuickTime's Java components. Three will allow an attacker to execute arbitrary code, while a fourth will allow the attacker to capture a screenshot of the victim's computer.

All are exploited by way of a specially-crafted Java applet launched from a web page.

QuickTime has been a system component of Mac OS since 1991. It has also become a staple of Windows systems in recent years because it is included as a component of Apple's iTunes media player.

Security experts warned that this widespread use has begun to make QuickTime a popular target for malware authors.

Security vendor F-Secure noted that the MPack attack utility, which was used to carry out last month's 'Italian job' attacks, includes exploit code for QuickTime flaws. 

The QuickTime update is available through Apple's software update utility or as a download from the Apple support website.