Apple released two security updates on Tuesday to fix flaws affecting the Mac OS X as well as patch a vulnerability in QuickTime that two researchers used to win the PWN to Own contest at CanSecWest.

The update to the Mac OS X adds fixes for two new issues -- a vulnerability in the operating system's AirPort driver and another in the file transfer protocol (FTP) server -- that were not fixed in the April update. The patch for QuickTime fixes a critical issue in the way the multimedia software handles Java commands, according to Apple's advisory.

"An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap," the advisory stated. "By enticing a user to visit a web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution."

Security researcher Dino Dai Zovi found the QuickTime flaw almost two weeks ago as a way to win the CanSecWest PWN to Own competition, which tasked researchers to compromise either of two MacBook Pros placed on a closed network. Dai Zovi found the vulnerability early Friday morning, asking another security professional to actually use the attack against the laptops. Dai Zovi won a $10,000 bounty offered by TippingPoint, the security division of networking giant 3Com, while the other researcher, Shane Macaulay, took home the computer.

The vulnerability had originally been described as an issue in Apple's Safari browser, but actually affects any browser on the Mac OS X or Windows XP Service Pack 2 or Windows 2000 Service Pack 4 that uses QuickTime to handle certain types of media files.