Security researchers have discovered a vulnerability in Apple's popular iTunes application which might be exploited to interfere with shared music downloads.

The glitch in iTunes 6.x - involving a failure to authenticate the source of shared music lists received via multicast - is currently unpatched. So it's just as well that it's described by the man who discovered the flaw, Seth Fogie of Airscanner, as annoying rather than potentially devastating.

The vuln (Airscanner advisory and Flash demo here) might be exploited to kill an existing stream without authorisation via an anonymous packet. At worst the glitch might also permit the Shared Music lists from various users to be renamed and swapped, thus creating a chaotic environment. These avenues of attack exist because it's possible to create spoofed Shared Music entries, to rename existing entries, to disconnect existing entries and to re-initiate existing lists.

Version 6.0 of iTunes on Win XP and OS X have been confirmed as vulnerable. Other versions may also be affected. There's no fix, as yet, so it's just as well the glitch is classified as low risk. Security notification firm Secunia advises iTunes users to restrict their use of the shared music feature to within trusted networks only, as a precaution. Airscanner advises users to disable the 'look for shared music' option under the Sharing tab in Preferences. ®

Related stories

• Apple's in the eye of flaw finders (8 February 2006)
• Apple bitten by iTunes security bugs (11 January 2006)
• Samsung preps digital music download service (31 October 2005)
• Apple opens iTunes down under (25 October 2005)
• Opinion Apple and Disney's two-inch disappointment (18 October 2005)
• Video iPod plus Front Row: Media Center killer, or shoulder-shrug? (13 October 2005)
• iTunes phone not shifting - analyst (6 October 2005)
• Apple fixes critical iTunes bug (12 May 2005)
• Apple mega-patch fixes 19 flaws (5 May 2005)