Apple iTunes Hit With a New Critical Flaw

← Back to Stories (view on slashdot.org)

Apple iTunes Hit With a New Critical Flaw

Posted by Zonk on Tuesday May 10, 2005 @07:18AM from the watch-what-you-listen-to dept.

Jameson writes "Apple has released a new iTunes version to correct a security vulnerability reported by Mark Litchfield. FrSIRT and Secunia marked the flaw as "critical", because it can be exploited by malicious people to compromise a user's system via maliciously-crafted MPEG4 file. iTunes 4.8 addresses this issue by improving the validation checks used when loading MPEG4 files."

44 comments

Min score:

Reason:

Sort:

Not amazingly new by caerwyn · 2005-05-10 07:23 · Score: 5, Informative

A security vulnerability for older versions of iTunes isn't exactly iTunes being hit with a critical vulnerability. It's already fixed- in the well-publicized update yesterday.

--
The ringing of the division bell has begun... -PF
So patched before public disclosure by pv2b · 2005-05-10 07:24 · Score: 2, Interesting

This is good. A software vendor releasing a patch for a security hole in a product before full-disclosure of the hole.

Though I'm puzzled -- why doesn't iTunes 4.8 show up in my Software Update yet? (Mac OS X 10.4, current iTunes version 4.7.1.)
1. Re:So patched before public disclosure by woster · 2005-05-10 07:46 · Score: 1
  
  If you launch iTunes it should let you know that a new version is available and take you to the download page is you so desire, at least it did for me.
2. Re:So patched before public disclosure by pv2b · 2005-05-10 07:48 · Score: 1
  
  What platform is this on? I think the Windows version does that, but Apple didn't want to clutter every single program on OS X with update code and interfaces, and handle all updates centrally through "Software Update" instead.
  
  At least in theory. It didn't show up there yet for me. Oh well, I patched it manually already. Ironically it said something like "Next time, you can get this from Software Update and not go through this cumbersome pross next time" when I went to download it off Apple's web site.
3. Re:So patched before public disclosure by woster · 2005-05-10 07:53 · Score: 1
  
  Hmmm, weird. I am running 10.4 and it came up for me. . .
4. Re:So patched before public disclosure by Slimy+Devil · 2005-05-10 07:57 · Score: 1
  
  I just tried it on OS X Tiger, both by manually checking for updates, and by launching iTunes fresh, and neither showed the update as being available.
5. Re:So patched before public disclosure by rich3rd · 2005-05-10 08:03 · Score: 3, Informative
  
  From the readme:
  What's new in iTunes 4.8
  iTunes 4.8 includes new Music Store features and support for transferring contacts and calendars from your computer to your iPod (requires Mac OS X version 10.4 on your computer).
  
  So, no mention of a security hole or its having been patched. Hmmm.
  
  I ran SU manually just now and it did not show up. I quit and re-launched version 4.7.1 to see if it would auto-check and it did not (as suggested above, perhaps this is a Windoze only feature). It has been suggested in comments to previous posts that they are rolling out the SU selectively to different parts of the 'net to ease the load on their servers (personally, I think it would be a nice touch if their servers also checked to see if you are one of their 'preferred' customers who has shelled out for a retail copy of Tiger, and gave you the update immediately regardless of your 'net location). Of course, going to itunes.apple.com will let you download the new version immediately, and they have simplified the process by requiring only an email address and the unchecking of two mailing list checkboxes...
6. Re:So patched before public disclosure by pv2b · 2005-05-10 08:06 · Score: 3, Informative
  
  Of course, going to itunes.apple.com will let you download the new version immediately, and they have simplified the process by requiring only an email address and the unchecking of two mailing list checkboxes...
  You don't even need to enter an e-mail address. It's optional! I just unchecked the checkboxes and clicked on Download.
7. Re:So patched before public disclosure by rich3rd · 2005-05-10 08:21 · Score: 1
  
  You don't even need to enter an e-mail address. It's optional! I just unchecked the checkboxes and clicked on Download.
  Damn! This means I wasted 2.7 seconds typing 'biteme@mybigfat.org' when all I had to do was click three times.
8. Re:So patched before public disclosure by pizero · 2005-05-10 08:24 · Score: 5, Informative
  
  The security information can be found here.
  
  All Apple Security updates can be found here.
  
  You can sign up for email notification (with PGP) here.
  
  All that said, I've never seen it take so long for an update like this to show up in software update. If this is a new policy (I can see marketing saying, "make them go to the website so we can show off new features"), I going to be unhappy.
9. Re:So patched before public disclosure by Devil's+Avocado · 2005-05-10 09:15 · Score: 2, Interesting
  
  Same for me. Have you moved iTunes.app out of /Applications? Software Update is annoyingly picky about having everything be there, despite Apple's "apps are drag-and-droppable" paradigm.
10. Re:So patched before public disclosure by sharpestmarble · 2005-05-10 13:39 · Score: 1
  
  Not necessarily. It's so the people who are always first-adopters can get it first, therefore easing the load on the servers. They can also find any bugs that may have crept into the system.
  
  --
  AC's modded -6. I don't see you, I don't mod you, anything you say is lost. Don't like it? Don't be a coward.
11. Re:So patched before public disclosure by Anonymous Coward · 2005-05-11 09:39 · Score: 0
  
  I always use sjobs@apple.com and make sure I check as many "send me updates" checkboxes as I can.
read changelog, post advisory, rinse and repeat by __aaitqo8496 · 2005-05-10 07:24 · Score: 3, Interesting

wait... did they just create an advisory based on changelog? didn't this happen with firefox not long ago?
TFA is pretty short on description by amichalo · 2005-05-10 07:29 · Score: 1

From TFA: A vulnerability has been reported in iTunes, which potentially can be exploited by malicious people to compromise a user's system [...] caused (by) a boundary error [...] and can be exploited to cause a buffer overflow via a specially crafted MPEG-4 file [...] (that could) allow execution of arbitrary code.

This is worrisome on one hand, but on the other, there is no description of what it takes to "specially craft" an MP4 to take advantage of the exploit.

I chalk it up as yet another reason to upgrade to iTunes 4.8

Other reasons to upgrade include:
- support for video within iTunes (like that included in the $11.98 Dave Matthews Band album Stand Up
- syncing of contacts/calendars to iPod

Disclaimer: This is not an ad

--
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
1. Re:TFA is pretty short on description by Warlock7 · 2005-05-10 07:48 · Score: 1
  
  You forgot the liner notes which, finally, come with that particular Dave Matthews Band album.
2. Re:TFA is pretty short on description by rthille · 2005-05-10 08:30 · Score: 1
  
  - syncing of contacts/calendars to iPod
  
  Not sure I understand the value of this. I drop my iPod in the cradle, iTunes launches and syncs any new music, and iSync launches and syncs any contact/calendar changes. Not sure why they didn't move it the other way, where iSync is in charge of syncing the music to the iPod...
  
  --
  Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
3. Re:TFA is pretty short on description by amichalo · 2005-05-10 08:49 · Score: 1
  
  Let me help clarify...
  
  For Windows users, iSync doesn't exist. On June 6, Steve Jobs is giving a keynote at WWDC2005 and will likely introduce the Apple/Motorola iTunes phone. This device will need to sync not only music but contacts and calendar entries too. So, they built the functionalty into iTunes.
  
  You can still use iSync since you use a Mac. For Windows users, this functionality will prepare them for "one more thing(tm)".
  
  --
  I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
FrSIRT? by commodoresloat · 2005-05-10 07:29 · Score: 3, Funny

Did they get the FrSIRT post in when they published this vulnerability?
Misleading Article Title by Anonymous Coward · 2005-05-10 07:32 · Score: 5, Insightful

Why is the title of this article "Apple iTunes Hit With a New Critical Flaw". Souln't it be "New Apple iTunes Fixes Critical Flaw"?
1. Re:Misleading Article Title by Anonymous Coward · 2005-05-10 07:35 · Score: 0
  
  Because giving the Astroturfers any opportunity to claim Apple has as many (or, at any rate, nearly as many) security problems as Microsoft will kick off a long flame war and pump up the hit counter, selling more ad revenue.
2. Re:Misleading Article Title by 0x461FAB0BD7D2 · 2005-05-10 08:02 · Score: 1, Flamebait
  
  It's about the focus. The former headline puts the focus on the flaw, while the latter headline puts the focus on the update to iTunes.
  
  As the summary leaves out other features the iTunes update has while explaining the critical flaw that iTunes faced, the submitter clearly intended to focus on the security issues, hence he chose the former headline, which is accurate.
  
  In any case, if the latter headline were used, it wouldn't be as news-worthy, as it would seem to be more of a Slashvertisement for iTunes than actual geek news.
Thanks for the FUD by amichalo · 2005-05-10 07:33 · Score: 5, Insightful

Our old software with weaker DRM may render your computer insecure! Upgrade to our new fancy DRMtacular software!

But TFAs don't say anything about this having to to with DRMed MP4s.

In fact, I don't see how one could "specially craft" (per the articles) a DRM protected MP4 and allow it to be played on any computer. Certainly Apple isn't going to sell DRM protected songs that crash the user's computer.

No, instead, this vulnerability would exist if people got a MP4 (AAC) song off a P2P fileshare where someone exploited the pre-4.8 iTunes.

Again, your FUD is appreciated.

--
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
1. Re:Thanks for the FUD by pv2b · 2005-05-10 07:41 · Score: 2, Informative
  
  I think you misunderstand the grandparent poster.
  
  He was referring to apple working around DRM-circumvension software (I think it was called pyMusique) by updating iTunes.
  
  And it's convenient to tell people they *have* to update iTunes because of a security hole. (It IS convenient, yes, but I don't think that's Apple's intention. I don't think the grandparent was saying that either.)
2. Re:Thanks for the FUD by ABaumann · 2005-05-10 07:57 · Score: 2, Insightful
  
  I was wondering when someone would play the troll card on this one. I'm certainly not surprised that it came in this form either. Other acceptable trolls would have been:
  
  - I told you OS X had major security issues.
  - I don't need to worry about it. iTunes doesn't run on my linux box.
  
  But yeah, of the three, yours is far better. I mean, since we all have hard disks and portable music players of infinite size, things like WAV and FLAC make perfect sense for the standard user. ...and don't give me that OGG or WMA is better then MP4/AAC bs because comparing lossy formats is just a waste of time.
3. Re:Thanks for the FUD by FredFnord · 2005-05-10 15:21 · Score: 1
  
  No, instead, this vulnerability would exist if people got a MP4 (AAC) song off a P2P fileshare where someone exploited the pre-4.8 iTunes.
  Oooor got it off of some garage band's web site, or decided they liked the background music at a web site and downloaded it and stuck it in iTunes, or (possibly) downloaded a video mpeg4 file from somewhere on the net and imported THAT into iTunes. (Yes, you can; in fact, I've done it accidentally a number of times, with video files that were mis-typed by web servers, or had the wrong filename extension But I'm not sure whether you could make an video mp4 file that exploited this vulnerability or not.)
  
  I'm sorry, this may not be the vulnerability of the century, and I don't agree with the parent's post either, but it's not trivial, and to suggest it is does no one any good.
  I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
  I guess it's a good thing you've got plenty of ass, huh?
  
  -fred
  
  --
  Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
4. Re:Thanks for the FUD by TravisWatkins · 2005-05-11 13:55 · Score: 1
  
  They didn't change anything that breaks PyMusique. We've tested with PyMusique reporting as 4.7 and 4.8, works fine.
  
  --
  
  "But I'm still right here, giving blood and keeping faith. And I'm still right here."
oh no by fulldecent · 2005-05-10 07:48 · Score: 4, Funny

This is devastating! I need this fixed yesterday.

--
-- I was raised on the command line, bitch
Re:Your sig by pv2b · 2005-05-10 07:54 · Score: 1

-- I was raised on the command line, bitch
You think you had it bad? I was raised by the command lines of DOS and Linux, IRC and shock sites. Chiefly by IRC though.

And now I'm a Mac OS X user. Go figure. :-)
How Apple handles burst traffic by amichalo · 2005-05-10 08:31 · Score: 2, Interesting

It has been suggested in comments to previous posts that they are rolling out the SU selectively to different parts of the 'net to ease the load on their servers...

The process you suggest is not how Apple manages server load "bursting".

Instead, Apple is a customer of Akamai, pretty much the only vendor (now that they bought their closest competitor, Speedera) of distributed hosting for On Demand (burst) Management and Content Delivery (used for iTunes Music Store) for global enterprises. These folks handle sites like Major League Baseball who get flooded with traffic on opening day and during the World Series and don't need to invest millions in infrastructure to handle these high-traffic times.

If you want, take a look at the HTML source for apple's own websites. It used to be that all media (images, quicktime, etc) were served from an akamai URL but now apple has images.apple.com that must hide the Akamai relationship. Still, there are relecs like
http://stream.qtv.apple.com/events/apple/akamai/01 0500/keynote010500vod_300.mov
as an example.

The iTunes Music Store uses Akamai to deliver those great download rates for the 160,000 songs per day they sell.

--
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
Slashdot News Hit With a New Stupid Title by fatalb7 · 2005-05-10 09:03 · Score: 2, Insightful

Do we really need this kind sensationalism?
The announce of the new version fixing this was posted on /. yesterday.

Anything new?
Kind of. by Anonymous Coward · 2005-05-10 09:04 · Score: 1, Informative

While Apple does use Akamai to distribute their content, they have also historically done Software Update rollouts in a gradual manner. If you look back at the history of non-security updates, it's not uncommon for some people to have the update show up while others get the "no updates available."
1. Re:Kind of. by amichalo · 2005-05-10 15:59 · Score: 1
  
  If you look back at the history of non-security updates, it's not uncommon for some people to have the update show up while others get the "no updates available."
  
  I would be interested to read about this. Do you have a link to more information?
  
  --
  I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
not on the front page of slashdot? by Anonymous Coward · 2005-05-10 09:21 · Score: 0

At first I was like "Wow, an apple vulnerablity! Why is this not on the front page of Slashdot?"

Then I realized it was false, sensational and misleading title, which was referred to yesterday on the front page of slashdot.

After I realized that I wondered, "Why isn't this on the front page of slashdot?!?!? It fits all the criteria.

http://www.veganfilm/
Re:Your sig by Anonymous Coward · 2005-05-10 09:32 · Score: 0

It comes from "i was raised on the dairy bitch"
The Difference Between Apple & Microsoft Patch by Cr0w+T.+Trollbot · 2005-05-10 09:33 · Score: 1, Funny

Time between Apple vulnerability being found and patched: Measured with a stopwatch.
Time between Microsoft vulnerability being found and patched: Measured by counting redwood tree rings.

Alternately, we could measure Microsoft's patch time by the number of spam e-mails an unpatched zombie system sends out. "Wow, Microsoft patched that security hole after only 9,000,000 SoBigs! They're really improving!"

Crow T. Trollbot
Update notice via iTunes by benwaggoner · 2005-05-10 10:58 · Score: 2, Insightful

I just launched iTunes 4.7, and was prompted to download 4.8.

Not via software update, but it's something.

--

My video compression blog
Is a Mac/PPC exploit likely? by Anonymous Coward · 2005-05-10 11:09 · Score: 0

I imagine that while the vulnerability affects both platforms, an exploit would target the Windows version only. Would an attacker be able to target Mac owners? I recall reading somewhere that the x86 architecture (on all platforms) is more vulnerable than PPC; could someone comment?
1. Re:Is a Mac/PPC exploit likely? by Anonymous Coward · 2005-05-10 20:59 · Score: 0
  
  That's right. PPC has its MSM (Memory Start Markers) logically separated from its main memory storage. This makes it very hard for buffer overruns to occur. Windows, on the other hand treats memory as a raw buffer.