- Related Stories
-
iTunes hack disabled by Apple
March 21, 2005 -
Hackers build backdoor into iTunes
March 18, 2005
The fix was released as part of the company's iTunes 4.8 update. Earlier versions of the music software have a vulnerability within MPEG-4 file parsing, Apple said in a security advisory. People who access a malicious MPEG-4 file could trigger a buffer overflow exploit, which could then allow an attacker to gain remote control of their computer without their knowledge or crash iTunes.
"This is considered highly critical because it doesn't require significant user interaction," said Thomas Kristensen, chief technology officer at Secunia, which released an advisory on the security hole on Tuesday. "If you visit a malicious Web site and have an MPEG-4 data stream handled by an iTunes application, you could be affected."
The iTunes update is designed to improve the validation checks that are used when MPEG-4 files are loaded. It is available for Mac OS X, Microsoft Windows XP and Microsoft Windows 2000.
Apple's move follows the release last week of 20 fixes for holes in its Mac OS X operating system software.
The company plugged an earlier hole in iTunes in January in its version 4.7 update to the software, fixing a flaw in the handling of playlists, Kristensen said. That earlier vulnerability could also be exploited to terminate iTunes and execute arbitrary code.
See more CNET content tagged:
security hole, Apple iTunes, MPEG-4, Apple Computer, Apple Mac OS X




not, the fix would appear to be not downloading music from
'dodgy' sites.
In fact it is not likely that the actual MPEG 4 code would be in iTunes but I am just speculating here.
not, the fix would appear to be not downloading music from
'dodgy' sites.
In fact it is not likely that the actual MPEG 4 code would be in iTunes but I am just speculating here.
If this was a Microsoft issue, then it would be front-page news for TWO DAYS on CNET, but since it's mozilla, it goes unmentioned:
---------------
News: Zero-Day Firefox Exploit Sends Mozilla Scrambling
The open-source Mozilla Foundation rushes out a partial fix
for an "extremely critical" Firefox flaw after exploit code
leaks onto the Web.
http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1
And Apple articles routinely make their most-read stories, so they LOVE to combine "flaws" with Apple. It gets a rise out of their readers.
It was on the front page all day yesterday.
http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html
We value are readers and strive to deliver the news in a timely fashion.
Take care and appreciate all comments,
Dawn
If this was a Microsoft issue, then it would be front-page news for TWO DAYS on CNET, but since it's mozilla, it goes unmentioned:
---------------
News: Zero-Day Firefox Exploit Sends Mozilla Scrambling
The open-source Mozilla Foundation rushes out a partial fix
for an "extremely critical" Firefox flaw after exploit code
leaks onto the Web.
http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1
And Apple articles routinely make their most-read stories, so they LOVE to combine "flaws" with Apple. It gets a rise out of their readers.
It was on the front page all day yesterday.
http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html
We value are readers and strive to deliver the news in a timely fashion.
Take care and appreciate all comments,
Dawn
CNet loves Secunia's PR releases, though, so they went with that, even though once again this flaw was a non-issue and went from security-company discovery to patch in less than a week.
CNet loves Secunia's PR releases, though, so they went with that, even though once again this flaw was a non-issue and went from security-company discovery to patch in less than a week.
has apple started hiring ex MS programmers or what?
has apple started hiring ex MS programmers or what?
which ARE primarily downloaded from sites OTHER than iTunes
(ITMS).
I am NOT a mac hater. Just the opposite. But I think we should
keep the confusion to a minimum. I am a wrong, then I will do my
Rosanna ODanna bit.
- MPEG-4 ... video, not audio Right?
- by Thomas, David May 10, 2005 11:25 AM PDT
- If I am not correct, but I think I am, This is a patch for movie files,
- Reply to this comment
-
-
- That's right...
- by M C May 10, 2005 12:01 PM PDT
- Which is why, in the first version of iTunes that is actually designed to handle video, the hole is closed. ;-)
-
-
(38 Comments)which ARE primarily downloaded from sites OTHER than iTunes
(ITMS).
I am NOT a mac hater. Just the opposite. But I think we should
keep the confusion to a minimum. I am a wrong, then I will do my
Rosanna ODanna bit.