Apple Computer has patched a flaw in iTunes that could open the door to a remote attack on a person's computer.
The fix was released as part of the company's iTunes 4.8 update. Earlier versions of the music software have a vulnerability within MPEG-4 file parsing, Apple said in a security advisory. People who access a malicious MPEG-4 file could trigger a buffer overflow exploit, which could then allow an attacker to gain remote control of their computer without their knowledge or crash iTunes.
"This is considered highly critical because it doesn't require significant user interaction," said Thomas Kristensen, chief technology officer at Secunia, which released an advisory on the security hole on Tuesday. "If you visit a malicious Web site and have an MPEG-4 data stream handled by an iTunes application, you could be affected."
The iTunes update is designed to improve the validation checks that are used when MPEG-4 files are loaded. It is available for Mac OS X, Microsoft Windows XP and Microsoft Windows 2000.
Apple's move follows the release last week of 20 fixes for holes in its Mac OS X operating system software.
The company plugged an earlier hole in iTunes in January in its version 4.7 update to the software, fixing a flaw in the handling of playlists, Kristensen said. That earlier vulnerability could also be exploited to terminate iTunes and execute arbitrary code.
I mean, come on - the point is that dodgy sites often go to trouble to make themselves look legitimate. That's not a reason to say that this isn't critical.
You might be right that the risk was only in iTunes but news stories are still not interactive so more details might not be easily found. Specifically there was a buffer overflow in MPEG 4 decoding which makes it sound more like a QuickTime problem. If you are using QuickTime on your Mac or PC for web content you could easily be at some random site viewing MPEG 4 content. If that is the case then iTunes would just be what a journalist might use in a news story because it has higher recognition.
In fact it is not likely that the actual MPEG 4 code would be in iTunes but I am just speculating here.
I mean, come on - the point is that dodgy sites often go to trouble to make themselves look legitimate. That's not a reason to say that this isn't critical.
You might be right that the risk was only in iTunes but news stories are still not interactive so more details might not be easily found. Specifically there was a buffer overflow in MPEG 4 decoding which makes it sound more like a QuickTime problem. If you are using QuickTime on your Mac or PC for web content you could easily be at some random site viewing MPEG 4 content. If that is the case then iTunes would just be what a journalist might use in a news story because it has higher recognition.
In fact it is not likely that the actual MPEG 4 code would be in iTunes but I am just speculating here.
If this was a Microsoft issue, then it would be front-page news for TWO DAYS on CNET, but since it's mozilla, it goes unmentioned:
--------------- News: Zero-Day Firefox Exploit Sends Mozilla Scrambling
The open-source Mozilla Foundation rushes out a partial fix for an "extremely critical" Firefox flaw after exploit code leaks onto the Web. <a class="jive-link-external" href="http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1" target="_newWindow">http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1</a>
If this was a Microsoft issue, then it would be front-page news for TWO DAYS on CNET, but since it's mozilla, it goes unmentioned:
--------------- News: Zero-Day Firefox Exploit Sends Mozilla Scrambling
The open-source Mozilla Foundation rushes out a partial fix for an "extremely critical" Firefox flaw after exploit code leaks onto the Web. <a class="jive-link-external" href="http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1" target="_newWindow">http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1</a>
4.8 is not primarily a patch, but fixing a flaw so fast looks good on Apple
Completely unmentioned in this "news" story is the fact that the 4.8 update enables Quicktime video support (purchasing and playback) in iTunes.
CNet loves Secunia's PR releases, though, so they went with that, even though once again this flaw was a non-issue and went from security-company discovery to patch in less than a week.
4.8 is not primarily a patch, but fixing a flaw so fast looks good on Apple
Completely unmentioned in this "news" story is the fact that the 4.8 update enables Quicktime video support (purchasing and playback) in iTunes.
CNet loves Secunia's PR releases, though, so they went with that, even though once again this flaw was a non-issue and went from security-company discovery to patch in less than a week.
im just thankful that apple is quick to repair all their security flaws. there was an article early about malware in the new tiger OS, but they've issued a resolution for it already. i guess we just sit and wait for the next hole to be discovered in apple software
has apple started hiring ex MS programmers or what?
im just thankful that apple is quick to repair all their security flaws. there was an article early about malware in the new tiger OS, but they've issued a resolution for it already. i guess we just sit and wait for the next hole to be discovered in apple software
has apple started hiring ex MS programmers or what?
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
Whether Apple will release a new iPad next month doesn't seem to be the question as much as what day it will happen. A new rumor has it down to the day.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
There are a lot of things that AT&T's humongous Samsung Galaxy Note smartphone is, like a digital memo pad, a medium-size-reader, and a great photo companion.
As UC Berkeley students, the co-founders of "Back to the Roots" discovered they could grow mushrooms using recycled coffee grounds. Now their mushroom kit sells at grocery stores across the country.
not, the fix would appear to be not downloading music from
'dodgy' sites.
In fact it is not likely that the actual MPEG 4 code would be in iTunes but I am just speculating here.
not, the fix would appear to be not downloading music from
'dodgy' sites.
In fact it is not likely that the actual MPEG 4 code would be in iTunes but I am just speculating here.
If this was a Microsoft issue, then it would be front-page news for TWO DAYS on CNET, but since it's mozilla, it goes unmentioned:
---------------
News: Zero-Day Firefox Exploit Sends Mozilla Scrambling
The open-source Mozilla Foundation rushes out a partial fix
for an "extremely critical" Firefox flaw after exploit code
leaks onto the Web.
<a class="jive-link-external" href="http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1" target="_newWindow">http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1</a>
And Apple articles routinely make their most-read stories, so they LOVE to combine "flaws" with Apple. It gets a rise out of their readers.
It was on the front page all day yesterday.
<a class="jive-link-external" href="http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html" target="_newWindow">http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html</a>
We value are readers and strive to deliver the news in a timely fashion.
Take care and appreciate all comments,
Dawn
If this was a Microsoft issue, then it would be front-page news for TWO DAYS on CNET, but since it's mozilla, it goes unmentioned:
---------------
News: Zero-Day Firefox Exploit Sends Mozilla Scrambling
The open-source Mozilla Foundation rushes out a partial fix
for an "extremely critical" Firefox flaw after exploit code
leaks onto the Web.
<a class="jive-link-external" href="http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1" target="_newWindow">http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1</a>
And Apple articles routinely make their most-read stories, so they LOVE to combine "flaws" with Apple. It gets a rise out of their readers.
It was on the front page all day yesterday.
<a class="jive-link-external" href="http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html" target="_newWindow">http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html</a>
We value are readers and strive to deliver the news in a timely fashion.
Take care and appreciate all comments,
Dawn
CNet loves Secunia's PR releases, though, so they went with that, even though once again this flaw was a non-issue and went from security-company discovery to patch in less than a week.
CNet loves Secunia's PR releases, though, so they went with that, even though once again this flaw was a non-issue and went from security-company discovery to patch in less than a week.
has apple started hiring ex MS programmers or what?
has apple started hiring ex MS programmers or what?
which ARE primarily downloaded from sites OTHER than iTunes
(ITMS).
I am NOT a mac hater. Just the opposite. But I think we should
keep the confusion to a minimum. I am a wrong, then I will do my
Rosanna ODanna bit.
which ARE primarily downloaded from sites OTHER than iTunes
(ITMS).
I am NOT a mac hater. Just the opposite. But I think we should
keep the confusion to a minimum. I am a wrong, then I will do my
Rosanna ODanna bit.