Apple patches 'highly critical' iTunes bug
Print storyPlaylist peril
Posted in Enterprise Security, 14th January 2005 12:10 GMT
Free whitepaper – Extended Validation SSL Certificates
Apple updated its iTunes software this week following the discovery of a security bug that leaves open a way to compromise vulnerable systems.
A bug in code used by iTunes to parse .m3u and .pls playlists means a maliciously-crafted playlist (with long URL file entries) can crash vulnerable versions of the application. In the process, hostile code can be injected into vulnerable systems. This is a classic buffer overflow attack.
iTunes users are advised to update to version 4.7.1 to guard against the risk of attack. Hymn users, beware: the upgrade breaks this anti-DRM utility.
Security reporting firm Secunia rates the iTunes bug as "highly critical". Exploitations of both Mac OS and Windows machines running iTunes is possible - providing an attacker tricks a user opening a malicious playlist file with a vulnerable version of iTunes.
The vuln was discovered by Sean de Regge and is explained here. ®
Related stories
Trojans exploit Windows DRM loophole
Apple brings discord to Hymn
Unholy trio of RealOne Player holes unearthed
Windows-style security hell stalks Mac OS X? Yeah, you wish
Macworld: Spotlight, trinkets, mark-ups, and middle-class angst
Free whitepaper – Securing your Microsoft Internet Information Services (MS IIS) web server
The business case for application security
Reducing messaging and web security costs with managed services
Avoiding 7 common mistakes of IT security compliance
Server-gated cryptography
Airport insecurity: the case of lost laptops
Feds: Hospital hacker's 'massive' DDoS averted
Buggy 'smart meters' open door to power-grid botnet
Microsoft knew of nasty IE bug a year before attacks
BlockMaster SafeStick hardware-encrypted USB drive