Security

Earlier today, Apple updated iTunes to get it ready for the anticipated iPhone firmware upgrade to version 3.0. The company also updated its QuickTime video player.

iTunes 8.2, for Windows and Mac, makes the program ready for the iPhone and iPod Touch operating system upgrade by pushing out changes made to recent prerelease versions of iTunes that had been available to only iPhone developers. It also includes one security fix.

Quicktime 7.6.2, for Windows and Mac, contains several security fixes, including patches for holes that could have been exploited to run arbitrary code by maliciously created PSD, JP2, and some movie files.

Apple on Thursday released iTunes 8.1, which includes a fix for a vulnerability that could lead to theft of usernames and passwords if a podcast containing malware were subscribed to.

The software update addresses a design issue in the iTunes podcast feature that made it possible for a subscription to a malicious podcast to cause an authentication dialog to be displayed that could prompt the user for log-in credentials to the podcast server, Apple's advisory said.

The issue affects Mac OS X v 10.4.10 and later. The issue was reported by Simon Bellwood.

iTunes 8.1 also fixes a vulnerability that could allow maliciously crafted Digital Audio Access Protocol messages to cause a denial of service on computers running Windows XP or Vista. Fortinet's Fortiguard Global Security Research team is credited with discovering this bug.

Want to watch a high-definition show from iTunes on an older external display? Good luck!

Some Mac users are teed off that they are getting error messages saying the iTunes movie they rented or bought can't be played on their display because it is not HDCP (High Digital Content Protection) authorized.

And some people are complaining they are only able to play certain standard definition iTunes content on their laptop or via an HDMI connection.

As a result, some Apple forum participants have threatened to boycott iTunes.

"And here we are now with Apple users who have spent thousands of dollars on Apple hardware (30" Cinema displays are not cheap!), buying films legitimately through Apple's store only to find themselves screwed when they just want to watch the film!" wrote "non-troppo" on the Apple Discussions Forum.

Forum participant Jim Beggans complained that Apple expanded the usage limitations of iTunes without updating the published usage terms.

"It is imperative that Apple address this customer concern with NEW terms of service (which will require them to offer some remedy for existing purchases) and clarify that HDCP is a now a standard part of their products regardless of which mode of the DisplayPort is in use," Beggans wrote.

ArsTechnica, which first covered the issue, reports that Apple's new MacBook is using DPCP, or DisplayPort Content Protection, which was developed by Philips.

The Mini DisplayPort connector used on Apple's new MacBooks and MacBook Pros uses DPCP to prevent iTunes files from being played on devices that are not compliant with either DPCP or HDCP, a copy-protection technology used with the HDMI standard. DPCP supports the HDCP technology, but is considered a stronger level of encryption according to the Video Electronics Standard Association (click for PDF) .

"While Apple's own Apple TV has used HDCP to protect video files playing from its HDMI port, this is the first time we've heard of Apple bringing HDCP DPCP to its hardware," David Chartier writes on ArsTechnica.

Basically, Apple is moving forward with a new standard that is not compatible with older displays. In the past, Apple has shown a willingness to forge ahead with new technology that doesn't always play nice with the older stuff, and the decision to use the Mini DisplayPort connector on the new MacBooks and MacBook Pros ensured that DPCP and HDCP would come along for the ride.

"Apple's compliance with HDCP--a necessary but appalling condition of the content companies that deliver the HD movies and TV shows--is beginning to close out the 'analog hole' and cause real aggravation for laptop owners with legitimate use cases, writes Michael Rose on The Unofficial Apple Weblog site.

Andy Foster sums the situation up on his Computer Blog: "In other words, the only way any of us can guarantee we can play the stuff we buy that is HD is to ensure we have the newest in hardware."

What does Apple have to say for itself? We don't know and likely won't. Apple representatives did not return repeated phone calls and e-mails seeking comment over two days.

(CNET News' Tom Krazit contributed to this report.)

A serious new flaw was disclosed on Thursday that affects the latest versions of Apple's QuickTime and iTunes applications.

The National Vulnerability Database entry CVE-2008-4116 describes a heap-based buffer overflow vulnerability within Apple's QuickTime 7.5.5 and iTunes 8.0 programs.

To infect a computer, a maliciously coded long-type attribute within a QuickTime tag might be placed on a Web page, or within a .mp4 or .mov file. This could allow remote attackers to crash the applications (known as a denial of service) or possibly execute arbitrary code on a compromised computer.

The announcement comes one week after Apple patched nine security flaws in its media player and fixed Windows Vista problems within its recently updated online music service.

At the moment, there is no recommended workaround or patch available for the code exploit.

Apple did not reply to a request for comment.

Apple on Friday issued an update for iTunes 8 that specifically addresses problems experienced by Windows Vista users, and issued general recommendations for Windows XP and Vista users experiencing sync issues with iPhone and iPod touch devices.

Since its release earlier in the week, iTunes 8 has bedeviled some Windows Vista users with the so-called blue screen of death, or BSOD, and other issues. Speculation has focused on an incompatibility with USB devices, such as Webcams and printers.

In a support post, Apple recommends that Windows Vista users experiencing difficulty should uninstall iTunes 8 and, after rebooting the computer, reinstall the updated application. (You can download the updated iTunes 8 for Windows from CNET's Download.com.)

Also on Friday, Apple posted recommendations regarding problems experienced by Windows XP and Windows Vista users when syncing the iPhone or iPod Touch devices containing saved photos. Apple says that "while any driver software could be a factor, updating the software drivers for Logitech QuickCam/Webcam products, Lexmark scanners, and some built-in media card reader drivers on the computer may solve this issue in a majority of cases."

Not everyone is rocking to the new iTunes 8 released Tuesday. An informal poll on ZDNet suggests that a problem with the latest edition of the Apple media player is affecting some, but not all, users of the software on Microsoft's Windows Vista. (You can download iTunes 8 for Windows from CNET Download.com.)

Users on an Apple forum reported seeing the so-called blue screen of death (BSOD) on their desktops running Windows Vista with iTunes 8 installed. The BSOD problem occurs shortly after connecting their iPods and iPhones.

A second, more subtle effect is that their CD/DVD drives "disappear."

ZDNet's Ed Bott offers a look at the upgrades or changes in iTunes 8.

Removing other USB devices, such as Webcams and printers, appears to resolve the problem, for the moment. Users on the forum speculate that there is an incompatibility between Apple and USB products from LogicTech and HP, as well as disc-burning software from Roxio.

We will update this post with further details, as they unfold.

On Tuesday, Apple released iPod Touch version 2.1 to address several security issues. Among them are the DNS vulnerabilities first reported by Dan Kaminsky of IOActive in July. Other issues include vulnerabilities in Webkit, CoreGraphics, and the Application Sandbox.

Earlier on Tuesday, Apple released updates to its QuickTime media player.

Apple notes that this update is only available through iTunes as part of the iPod Touch updating process and will not appear in your computer's Software Update application, nor can it be found on the Apple Downloads site.

Application Sandbox
This patch affects users of iPod Touch v2.0 through v2.0.2. The update addresses the information disclosure vulnerability detailed within CVE-2008-3631. Apple says "the Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox and lead to the disclosure of sensitive information." Apple credits Nicolas Seriot of Sen:te and Bryce Cogswell for reporting the vulnerability. This issue does not affect iPod Touch versions prior to v2.0.

CoreGraphics
This patch affects users of iPod Touch v1.1 through v2.0.2. The update addresses the FreeType v2.3.5 vulnerabilities within CVE-2008-1806, CVE-2008-1807, CVE-2008-1808. Apple says the most serious of these vulnerabilities may lead to arbitrary code execution when accessing maliciously crafted font data.

mDNSResponder
This patch affects users of iPod Touch v1.1 through v2.0.2. The update addresses the cache poisoning vulnerability within CVE-2008-1447. Apple explains that mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information.

Networking
This patch affects users of CVE-2008-3612. The update addresses the memory corruption issue vulnerability details within CVE-2008-3626. Apple says the TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection.

WebKit
This patch affects users of iPod Touch v1.1 through v2.0.2. The update addresses a vulnerability detailed within CVE-2008-3632. Apple says that a use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution.

Apple on Tuesday released Bonjour for Windows 1.0.5., patching the DNS vulnerabilities first reported by Dan Kaminsky of IOActive in July. Bonjour for Windows can be found within iTunes. Earlier on Tuesday, Apple released DNS patches for iPod Touch. Bonjour for Windows 1.0.5 may be obtained downloading iTunes 8.0 or from Apple Software Downloads.

mDNSResponder 1
This patch affects users of Windows Vista, XP SP2, SP3, 2003, and 2000. The update addresses null pointer reference issue in CVE-2008-2326. Apple says the problem within Bonjour Namespace Provider lies in resolving a maliciously crafted ".local" domain name containing a long DNS label. Doing so may cause an unexpected application termination. This issue does not affect systems running Mac OS X.

mDNSResponder 2
This patch affects users of Windows Vista, XP SP2, SP3, 2003, and 2000. The update addresses the vulnerability detailed within CVE-2008-3635. Apple explains that "Bonjour for Windows provides Zero Configuration Networking, Multicast DNS, and Network Service Discovery for Windows users. It's also possible to use the Bonjour API to issue conventional unicast DNS queries. A weakness in the DNS protocol may allow a remote attacker to spoof DNS responses. As a result, if there are applications that use Bonjour for Windows for unicast DNS, those applications may receive forged information. However, there are no known applications that use the Bonjour APIs for unicast DNS hostname resolution." This issue does not affect systems running Mac OS X.