According to an alert posted Thursday by eEye Digital Security, a "remotely exploitable flaw exists that allows arbitrary code to be executed in the context of the logged in user." The security vendor traditionally doesn't provide details on vulnerabilities it discovers until the affected vendor produces a patch.
On Tuesday, Apple released a security update to iTunes 6 for Windows; the bug reported by eEye, however, wasn't addressed in that fix.
Also on Thursday, eEye warned of a similarly-critical bug in various versions of Apple's QuickTime media player on both the Windows and Mac platforms. That vulnerability can also be exploited remotely, and might result in an attacker grabbing control of the victimized computer.
Apple's policy is not to confirm or comment on potential security problems until it has wrapped up its investigation and if necessary, created a fix for the flaw.