Apple plugs security hole in iTunes

Apple Computer has patched a flaw in iTunes that could open the door to a remote attack on a person's computer.

The fix was released as part of the company's iTunes 4.8 update. Earlier versions of the music software have a vulnerability within MPEG-4 file parsing, Apple said in a security advisory. People who access a malicious MPEG-4 file could trigger a buffer overflow exploit, which could then allow an attacker to gain remote control of their computer without their knowledge or crash iTunes.

"This is considered highly critical because it doesn't require significant user interaction," said Thomas Kristensen, chief technology officer at Secunia, which released an advisory on the security hole on Tuesday. "If you visit a malicious Web site and have an MPEG-4 data stream handled by an iTunes application, you could be affected."

The iTunes update is designed to improve the validation checks that are used when MPEG-4 files are loaded. It is available for Mac OS X, Microsoft Windows XP and Microsoft Windows 2000.

Apple's move follows the release last week of 20 fixes for holes in its Mac OS X operating system software.

The company plugged an earlier hole in iTunes in January in its version 4.7 update to the software, fixing a flaw in the handling of playlists, Kristensen said. That earlier vulnerability could also be exploited to terminate iTunes and execute arbitrary code.

[privatec]

Is it me?

Does anyone ever use iTunes to go anywhere other than iTMS? If
not, the fix would appear to be not downloading music from
'dodgy' sites.

well, i can use that argument for any site

I mean, come on - the point is that dodgy sites often go to trouble to make themselves look legitimate. That's not a reason to say that this isn't critical.

[Steve Bryan]

Maybe not that simple

You might be right that the risk was only in iTunes but news stories are still not interactive so more details might not be easily found. Specifically there was a buffer overflow in MPEG 4 decoding which makes it sound more like a QuickTime problem. If you are using QuickTime on your Mac or PC for web content you could easily be at some random site viewing MPEG 4 content. If that is the case then iTunes would just be what a journalist might use in a news story because it has higher recognition.

In fact it is not likely that the actual MPEG 4 code would be in iTunes but I am just speculating here.

[privatec]

Is it me?

Does anyone ever use iTunes to go anywhere other than iTMS? If
not, the fix would appear to be not downloading music from
'dodgy' sites.

well, i can use that argument for any site

I mean, come on - the point is that dodgy sites often go to trouble to make themselves look legitimate. That's not a reason to say that this isn't critical.

[Steve Bryan]

Maybe not that simple

You might be right that the risk was only in iTunes but news stories are still not interactive so more details might not be easily found. Specifically there was a buffer overflow in MPEG 4 decoding which makes it sound more like a QuickTime problem. If you are using QuickTime on your Mac or PC for web content you could easily be at some random site viewing MPEG 4 content. If that is the case then iTunes would just be what a journalist might use in a news story because it has higher recognition.

In fact it is not likely that the actual MPEG 4 code would be in iTunes but I am just speculating here.

Yet another CNET bias

Wonder how this story didn't make it onto CNET?

If this was a Microsoft issue, then it would be front-page news for TWO DAYS on CNET, but since it's mozilla, it goes unmentioned:

---------------
News: Zero-Day Firefox Exploit Sends Mozilla Scrambling

The open-source Mozilla Foundation rushes out a partial fix
for an "extremely critical" Firefox flaw after exploit code
leaks onto the Web.
http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1

[M C]

Yes, biased, but not the way you think

CNet loves controversy. "Security flaws" = site hits.

And Apple articles routinely make their most-read stories, so they LOVE to combine "flaws" with Apple. It gets a rise out of their readers.

[Homer J. Simpson]

Try reading the news before posting....

http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html

It was on the front page all day yesterday.

[System Tyrant]

What does this...

have to do with Apple. This isn't about Mozilla or Firefox it's about Apple's iTunes.

[dawn_kawamoto]

Bias? ....no

We ran the story on Firefox yesterday....

http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html

We value are readers and strive to deliver the news in a timely fashion.

Take care and appreciate all comments,
Dawn

Yet another CNET bias

Wonder how this story didn't make it onto CNET?

If this was a Microsoft issue, then it would be front-page news for TWO DAYS on CNET, but since it's mozilla, it goes unmentioned:

---------------
News: Zero-Day Firefox Exploit Sends Mozilla Scrambling

The open-source Mozilla Foundation rushes out a partial fix
for an "extremely critical" Firefox flaw after exploit code
leaks onto the Web.
http://ct.enews.eweek.com/rd/cts?d=186-2006-8-85-100214-227178-0-0-0-1

[M C]

Yes, biased, but not the way you think

CNet loves controversy. "Security flaws" = site hits.

And Apple articles routinely make their most-read stories, so they LOVE to combine "flaws" with Apple. It gets a rise out of their readers.

[Homer J. Simpson]

Try reading the news before posting....

http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html

It was on the front page all day yesterday.

[System Tyrant]

What does this...

have to do with Apple. This isn't about Mozilla or Firefox it's about Apple's iTunes.

[dawn_kawamoto]

Bias? ....no

We ran the story on Firefox yesterday....

http://news.com.com/Exploit+code+chases+two+Firefox+flaws/2100-1002_3-5700204.html

We value are readers and strive to deliver the news in a timely fashion.

Take care and appreciate all comments,
Dawn

[M C]

4.8 is not primarily a patch, but fixing a flaw so fast looks good on Apple

Completely unmentioned in this "news" story is the fact that the 4.8 update enables Quicktime video support (purchasing and playback) in iTunes.

CNet loves Secunia's PR releases, though, so they went with that, even though once again this flaw was a non-issue and went from security-company discovery to patch in less than a week.

[M C]

4.8 is not primarily a patch, but fixing a flaw so fast looks good on Apple

Completely unmentioned in this "news" story is the fact that the 4.8 update enables Quicktime video support (purchasing and playback) in iTunes.

CNet loves Secunia's PR releases, though, so they went with that, even though once again this flaw was a non-issue and went from security-company discovery to patch in less than a week.

be thankful

im just thankful that apple is quick to repair all their security flaws. there was an article early about malware in the new tiger OS, but they've issued a resolution for it already. i guess we just sit and wait for the next hole to be discovered in apple software

has apple started hiring ex MS programmers or what?

be thankful

im just thankful that apple is quick to repair all their security flaws. there was an article early about malware in the new tiger OS, but they've issued a resolution for it already. i guess we just sit and wait for the next hole to be discovered in apple software

has apple started hiring ex MS programmers or what?

[Thomas, David]

MPEG-4 ... video, not audio Right?

If I am not correct, but I think I am, This is a patch for movie files,
which ARE primarily downloaded from sites OTHER than iTunes
(ITMS).

I am NOT a mac hater. Just the opposite. But I think we should
keep the confusion to a minimum. I am a wrong, then I will do my
Rosanna ODanna bit.

[M C]

That's right...

Which is why, in the first version of iTunes that is actually designed to handle video, the hole is closed. ;-)

[Thomas, David]

MPEG-4 ... video, not audio Right?

If I am not correct, but I think I am, This is a patch for movie files,
which ARE primarily downloaded from sites OTHER than iTunes
(ITMS).

I am NOT a mac hater. Just the opposite. But I think we should
keep the confusion to a minimum. I am a wrong, then I will do my
Rosanna ODanna bit.

[M C]

That's right...

Which is why, in the first version of iTunes that is actually designed to handle video, the hole is closed. ;-)