May 10, 2005 10:00 AM PDT

Apple plugs security hole in iTunes

Related Stories

iTunes hack disabled by Apple

March 21, 2005

Hackers build backdoor into iTunes

March 18, 2005
Apple Computer has patched a flaw in iTunes that could open the door to a remote attack on a person's computer.

The fix was released as part of the company's iTunes 4.8 update. Earlier versions of the music software have a vulnerability within MPEG-4 file parsing, Apple said in a security advisory. People who access a malicious MPEG-4 file could trigger a buffer overflow exploit, which could then allow an attacker to gain remote control of their computer without their knowledge or crash iTunes.

"This is considered highly critical because it doesn't require significant user interaction," said Thomas Kristensen, chief technology officer at Secunia, which released an advisory on the security hole on Tuesday. "If you visit a malicious Web site and have an MPEG-4 data stream handled by an iTunes application, you could be affected."

The iTunes update is designed to improve the validation checks that are used when MPEG-4 files are loaded. It is available for Mac OS X, Microsoft Windows XP and Microsoft Windows 2000.

Apple's move follows the release last week of 20 fixes for holes in its Mac OS X operating system software.

The company plugged an earlier hole in iTunes in January in its version 4.7 update to the software, fixing a flaw in the handling of playlists, Kristensen said. That earlier vulnerability could also be exploited to terminate iTunes and execute arbitrary code.

38 comments

Join the conversation!
Add your comment (Log in or register)
Is it me?
Does anyone ever use iTunes to go anywhere other than iTMS? If
not, the fix would appear to be not downloading music from
'dodgy' sites.
Posted by privatec (75 comments )
Reply Link Flag
well, i can use that argument for any site
I mean, come on - the point is that dodgy sites often go to trouble to make themselves look legitimate. That's not a reason to say that this isn't critical.
Posted by (127 comments )
Link Flag
Maybe not that simple
You might be right that the risk was only in iTunes but news stories are still not interactive so more details might not be easily found. Specifically there was a buffer overflow in MPEG 4 decoding which makes it sound more like a QuickTime problem. If you are using QuickTime on your Mac or PC for web content you could easily be at some random site viewing MPEG 4 content. If that is the case then iTunes would just be what a journalist might use in a news story because it has higher recognition.

In fact it is not likely that the actual MPEG 4 code would be in iTunes but I am just speculating here.
Posted by Steve Bryan (92 comments )
Link Flag
Is it me?
Does anyone ever use iTunes to go anywhere other than iTMS? If
not, the fix would appear to be not downloading music from
'dodgy' sites.
Posted by privatec (75 comments )
Reply Link Flag
well, i can use that argument for any site
I mean, come on - the point is that dodgy sites often go to trouble to make themselves look legitimate. That's not a reason to say that this isn't critical.
Posted by (127 comments )
Link Flag
Maybe not that simple
You might be right that the risk was only in iTunes but news stories are still not interactive so more details might not be easily found. Specifically there was a buffer overflow in MPEG 4 decoding which makes it sound more like a QuickTime problem. If you are using QuickTime on your Mac or PC for web content you could easily be at some random site viewing MPEG 4 content. If that is the case then iTunes would just be what a journalist might use in a news story because it has higher recognition.

In fact it is not likely that the actual MPEG 4 code would be in iTunes but I am just speculating here.
Posted by Steve Bryan (92 comments )
Link Flag
Yet another CNET bias
Wonder how this story didn't make it onto CNET?

If this was a Microsoft issue, then it would be front-page news for TWO DAYS on CNET, but since it's mozilla, it goes unmentioned:

---------------
News: Zero-Day Firefox Exploit Sends Mozilla Scrambling

The open-source Mozilla Foundation rushes out a partial fix
for an "extremely critical" Firefox flaw after exploit code
leaks onto the Web.
<a class="jive-link-external" href="http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1" target="_newWindow">http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1</a>
Posted by (127 comments )
Reply Link Flag
Yes, biased, but not the way you think
CNet loves controversy. "Security flaws" = site hits.

And Apple articles routinely make their most-read stories, so they LOVE to combine "flaws" with Apple. It gets a rise out of their readers.
Posted by M C (571 comments )
Link Flag
Try reading the news before posting....
<a class="jive-link-external" href="http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html" target="_newWindow">http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html</a>

It was on the front page all day yesterday.
Posted by Homer J. Simpson (9 comments )
Link Flag
What does this...
have to do with Apple. This isn't about Mozilla or Firefox it's about Apple's iTunes.
Posted by System Tyrant (1453 comments )
Link Flag
Bias? ....no
We ran the story on Firefox yesterday....

<a class="jive-link-external" href="http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html" target="_newWindow">http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html</a>

We value are readers and strive to deliver the news in a timely fashion.

Take care and appreciate all comments,
Dawn
Posted by dawn_kawamoto (3 comments )
Link Flag
Yet another CNET bias
Wonder how this story didn't make it onto CNET?

If this was a Microsoft issue, then it would be front-page news for TWO DAYS on CNET, but since it's mozilla, it goes unmentioned:

---------------
News: Zero-Day Firefox Exploit Sends Mozilla Scrambling

The open-source Mozilla Foundation rushes out a partial fix
for an "extremely critical" Firefox flaw after exploit code
leaks onto the Web.
<a class="jive-link-external" href="http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1" target="_newWindow">http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1</a>
Posted by (127 comments )
Reply Link Flag
Yes, biased, but not the way you think
CNet loves controversy. "Security flaws" = site hits.

And Apple articles routinely make their most-read stories, so they LOVE to combine "flaws" with Apple. It gets a rise out of their readers.
Posted by M C (571 comments )
Link Flag
Try reading the news before posting....
<a class="jive-link-external" href="http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html" target="_newWindow">http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html</a>

It was on the front page all day yesterday.
Posted by Homer J. Simpson (9 comments )
Link Flag
What does this...
have to do with Apple. This isn't about Mozilla or Firefox it's about Apple's iTunes.
Posted by System Tyrant (1453 comments )
Link Flag
Bias? ....no
We ran the story on Firefox yesterday....

<a class="jive-link-external" href="http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html" target="_newWindow">http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html</a>

We value are readers and strive to deliver the news in a timely fashion.

Take care and appreciate all comments,
Dawn
Posted by dawn_kawamoto (3 comments )
Link Flag
4.8 is not primarily a patch, but fixing a flaw so fast looks good on Apple
Completely unmentioned in this "news" story is the fact that the 4.8 update enables Quicktime video support (purchasing and playback) in iTunes.

CNet loves Secunia's PR releases, though, so they went with that, even though once again this flaw was a non-issue and went from security-company discovery to patch in less than a week.
Posted by M C (571 comments )
Reply Link Flag
4.8 is not primarily a patch, but fixing a flaw so fast looks good on Apple
Completely unmentioned in this "news" story is the fact that the 4.8 update enables Quicktime video support (purchasing and playback) in iTunes.

CNet loves Secunia's PR releases, though, so they went with that, even though once again this flaw was a non-issue and went from security-company discovery to patch in less than a week.
Posted by M C (571 comments )
Reply Link Flag
be thankful
im just thankful that apple is quick to repair all their security flaws. there was an article early about malware in the new tiger OS, but they've issued a resolution for it already. i guess we just sit and wait for the next hole to be discovered in apple software

has apple started hiring ex MS programmers or what?
Posted by (34 comments )
Reply Link Flag
be thankful
im just thankful that apple is quick to repair all their security flaws. there was an article early about malware in the new tiger OS, but they've issued a resolution for it already. i guess we just sit and wait for the next hole to be discovered in apple software

has apple started hiring ex MS programmers or what?
Posted by (34 comments )
Reply Link Flag
MPEG-4 ... video, not audio Right?
If I am not correct, but I think I am, This is a patch for movie files,
which ARE primarily downloaded from sites OTHER than iTunes
(ITMS).

I am NOT a mac hater. Just the opposite. But I think we should
keep the confusion to a minimum. I am a wrong, then I will do my
Rosanna ODanna bit.
Posted by Thomas, David (1937 comments )
Reply Link Flag
That's right...
Which is why, in the first version of iTunes that is actually designed to handle video, the hole is closed. ;-)
Posted by M C (571 comments )
Link Flag
MPEG-4 ... video, not audio Right?
If I am not correct, but I think I am, This is a patch for movie files,
which ARE primarily downloaded from sites OTHER than iTunes
(ITMS).

I am NOT a mac hater. Just the opposite. But I think we should
keep the confusion to a minimum. I am a wrong, then I will do my
Rosanna ODanna bit.
Posted by Thomas, David (1937 comments )
Reply Link Flag
That's right...
Which is why, in the first version of iTunes that is actually designed to handle video, the hole is closed. ;-)
Posted by M C (571 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

Inside CNET News

1-2 of 12

Scroll Left Scroll Right

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

Markets

Market news, charts, SEC filings, and more

Related quotes

Apple (1.86%) 9.18 502.60
Dow Jones Industrials (0.57%) 72.81 12,874.04
S&P 500 (0.68%) 9.13 1,351.77
NASDAQ (0.95%) 27.51 2,931.39
CNET TECH (0.84%) 17.13 2,049.14
  Symbol Lookup