November 18, 2005 7:10 AM PST

Apple iTunes security flaw discovered

A correction was made to this story. Read below for details.

A critical vulnerability, found in some versions of Apple Computer's popular iTunes, could enable attackers to remotely take over a user's computer, according to a warning issued Thursday by a security research firm.

The discovery of this flaw comes days after Apple issued its security update for iTunes 6 for Windows.

This flaw existed on the earlier version of iTunes 6 for Windows and was not addressed by the newest security update, according to a warning issued by eEye Digital Security.

After eEye mistakenly posted a note on its Web site saying the iTunes flaw affected "all operating systems," the security firm updated its warning to indicate that the flaw had been found only on the Windows operating system so far.

However, eEye is now testing whether the flaw also affects iTunes running on Mac operating systems.

Apple iTunes 6 for Windows, as well as the previous version, are affected by the flaw, said Steve Manzuik, product manager at eEye.

The flaw enables malicious hackers to launch arbitrary code remotely, once a user clicks on a malicious Web site link or opens a malicious e-mail, Manzuik said.

"iTunes is widespread, so there is a large exploit base," Manzuik said, noting that no exploit code has been published to date.

When Apple released its iTunes 6 for Windows security patch earlier this week, it was designed to prevent the wrong helper application from launching.

The helper program searches multiple system paths to figure out which program to run, but the flaw could allow an attacker to create a way for an alternate program to be initiated by iTunes.

An Apple representative was not available for comment, but the company has a policy of not discussing or confirming security issues until it has conducted an investigation and issued any needed patches, according a posting on its Web site.

eEye says it does not provide extensive details on security flaws until a vendor has released a patch to resolve the flaw.


Correction: This story initially quoted an incorrect report on the eEye Digital Security Web site saying an iTunes security flaw affected both Windows and Mac operating systems. To clarify, eEye is still testing the flaw on the Mac OS.


Join the conversation!
Add your comment
And So...
It Begins. No company makes a perfect product...Oh wait...Apple made everything, including the heavens and the earth, nevermind.
Posted by SystemsJunky (409 comments )
Reply Link Flag
Anyone who genuinely thinks Apple makes completely flawless
products is as big a fool as you obviously are. We're all
consumers folks, not clan members. We do not owe allegiance to

A better response to this issue would be to ask how one actually
exploit the flaw if it is a remotely executable one and the only
remote thing that itunes accesses is the itunes music store? The
only other thing I can think of is the music library sharing
feature which we can all turn off if that's the only other way of
accessing iTunes remotely.

Being merely an educated user and not a Mac genius is there
anyone out there who knows any better?
Posted by privatec (75 comments )
Link Flag
is Windows only. Not OSX
Posted by NeverFade (402 comments )
Link Flag
As in . . . a research firm has determined that cigarettes are not
harmful and addictive.
This firm sells security software. Would be surprised to learn that
they announce that they have found a security flaw? Not me.
Posted by jean.luc.picard (68 comments )
Reply Link Flag
Yes indeed.
I just looked up the eEye site and indeed their solution to the
problem is to buy their product.

Not proof of exaggeration but reason enough I think for doubting
their intentions.
Posted by privatec (75 comments )
Link Flag
So let me guess
The "solution" is to buy the security companies product(s), right?

What version(s) of iTunes does this impact? Have there been any real world reports of security breaches? How exactly are hackers supposed to get into my iTunes to begin with? Some salient details and facts would go a long way to supporting what is at present a somewhat dubious article.
Posted by R. U. Sirius (745 comments )
Reply Link Flag
Good guess
That goes for about 99% of the flaws in Windows as well.
Posted by SystemsJunky (409 comments )
Link Flag
"The latest iTunes flaw, however, runs on all operating systems from Windows XP to Mac OS X".

Does this mean - GULP - OS X isn't perfect, after all ?

Havin read the report, it's in the Initial stage. So it'll be interesting to see how this develops.

"Description: A remotely exploitable flaw exists that allows arbitrary code to be executed in the context of the logged in user." - doesn't sound trivial (expecially if the arbitraty code was like "FORMAT C:").
Posted by (409 comments )
Reply Link Flag
"Does this mean - GULP - OS X isn't perfect, after all ?"

Not yet. Look at original advisory:

Operating Systems Affected:
All Microsoft Operatins Systems.
Posted by harry.callaghan (1 comment )
Link Flag
According to the Cnet article, the flaw "runs" on all operating
systems (Mac and Windows)

However, the link to eEye (for the November 17, 2005 iTunes
vulnerability report EEYEB-20051117b) states:

"Operating Systems Affected:
All Microsoft Operatins (sic) Systems"

Now where do you see OS X in that statement?
Posted by Terry Murphy (82 comments )
Reply Link Flag
Typical CNet story
incomplete, FUD and will post advertising as news... lol
Posted by BobBobBobBobBobBobBob (49 comments )
Link Flag
Posted by sabot96 (24 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.