September 6, 2007 9:59 AM PDT
Apple issues security update for iTunes
Apple on Thursday morning issued a security update for iTunes. The update is for users of Mac OS X v10.3.9, Mac OS X v10.4.7 or later and Windows XP and Vista. It addresses a vulnerability identified in CVE-2007-3752.
According to Apple, opening a maliciously crafted music file may lead to an unexpected application termination or arbitrary code execution. Specifically, a buffer overflow exists in the way that iTunes processes album cover art. By enticing a user to open a maliciously crafted music file, an attacker may trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution. Apple credits David Thiel of iSEC Partners for reporting this vulnerability.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
version, not a separate patch.
the update being cited in the story is the 7.4 update, this is an
EXTREMELY misleading and strangely biased article about an
update that did a whole lot more than fix a security issue.
I don't mind the news of a security hole being fixed in the
software, but not mentioning that the update also included many
enhancements to the software, such as ringtone support for
iPhone and the ability to play video within the iTunes window
sure makes it look like there were alternative intentions in the
writing of this article.
- Seperate updates
- by supermjr September 9, 2007 12:38 PM PDT
- When I updated my iTunes, my 7.4 update was about 60 megabytes and then a separate 7.4.1 update was about 11 megabytes. The 7.4 probably had all the features of ring tones and other enhancements while the security patch was likely the 7.4.1 update.
- Like this Reply to this comment
-
(3 Comments)