This week in security

A new version of Apple Computer's popular iTunes software is prompting complaints from privacy advocates for sending information about computer users' playlists back to Apple.

The new music software includes a "MiniStore" window, which provides recommended links to Apple's music download service when listeners click on songs in their personal playlist, including songs that haven't been purchased from the iTunes store.

To provide those recommendations, the software sends information about the selected song, such as artist, title and genre, back to Apple. But the software also transmits a string of data that is linked to a computer user's unique iTunes account ID, computer experts have found. Because iTunes users typically sign up for the music store with an e-mail address and a credit card number, the account ID number could in theory be linked to that information as well as a customer's purchase history.

Apple also warned about serious security flaws in QuickTime, saying that vulnerabilities in the media player put computers running Windows and Mac OS X at risk of being commandeered by an outsider. An attacker could exploit the flaws by tricking the user into opening a malicious file.

Apple released QuickTime 7.0.4 to address the vulnerabilities. The French Security Incident Response Team, a commercial security monitoring and research outfit, described the problems as "critical," its highest risk rating.

Meanwhile, Symantec released an update to its popular Norton SystemWorks to fix a security problem that could be abused by cybercriminals to hide malicious software. In the PC-tuning application, a feature called the Norton Protected Recycle Bin creates a hidden directory on Windows systems. The feature is meant to help people restore modified or deleted files, but the hidden folder might not be scanned during scheduled or manual virus scans.

Symantec's alert has echoes of Sony BMG Music Entertainment's recent PC security fiasco. The record label was found to be shipping copy-protected compact discs that planted so-called rootkit software on the computers that played them. The rootkit technology also offered a hiding place for malicious software.

[pjcamp]

Symantec's limitations

What I have not seen mentioned in any of the news items on this issue, and that I think deserves broader play, is the fact that Symantec's fix is only for the 2004 through 2006 versions of their utility suite. 2003 and earlier suffers from the same problem but if you want to fix that, you are out of luck. First you have to pay for an upgrade and then apply the patch. But I have a better idea. Out of curiosity, I downloaded Zone Alarm's antivirus suite and scanned with it. I found 8 infections that Norton had let past, 6 of them hiding in the NPROTECT folder. This is curious since I have never used Norton Protection for my recycle bin. Apparently, it is installed whether you want it or not and all you can do is toggle whether or not it is actually used. So let's see the score: Norton is slipshod about preventing infections, it provides a cozy hiding place for them that they are now using, and if you want to destroy that hiding place, you have to pay money to Symantec for the priviledge. I think uninstalling is a far better idea.