Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple iTunes Hit With a New Critical Flaw

Posted by Zonk on from the watch-what-you-listen-to dept.

Jameson writes "Apple has released a new iTunes version to correct a security vulnerability reported by Mark Litchfield. FrSIRT and Secunia marked the flaw as "critical", because it can be exploited by malicious people to compromise a user's system via maliciously-crafted MPEG4 file. iTunes 4.8 addresses this issue by improving the validation checks used when loading MPEG4 files."

6 of 44 comments (clear)

  1. Not amazingly new by caerwyn · · Score: 5, Informative

    A security vulnerability for older versions of iTunes isn't exactly iTunes being hit with a critical vulnerability. It's already fixed- in the well-publicized update yesterday.

    --
    The ringing of the division bell has begun... -PF
  2. Re:Thanks for the FUD by pv2b · · Score: 2, Informative

    I think you misunderstand the grandparent poster.

    He was referring to apple working around DRM-circumvension software (I think it was called pyMusique) by updating iTunes.

    And it's convenient to tell people they *have* to update iTunes because of a security hole. (It IS convenient, yes, but I don't think that's Apple's intention. I don't think the grandparent was saying that either.)

  3. Re:So patched before public disclosure by rich3rd · · Score: 3, Informative
    From the readme:

    What's new in iTunes 4.8
    iTunes 4.8 includes new Music Store features and support for transferring contacts and calendars from your computer to your iPod (requires Mac OS X version 10.4 on your computer).

    So, no mention of a security hole or its having been patched. Hmmm.

    I ran SU manually just now and it did not show up. I quit and re-launched version 4.7.1 to see if it would auto-check and it did not (as suggested above, perhaps this is a Windoze only feature). It has been suggested in comments to previous posts that they are rolling out the SU selectively to different parts of the 'net to ease the load on their servers (personally, I think it would be a nice touch if their servers also checked to see if you are one of their 'preferred' customers who has shelled out for a retail copy of Tiger, and gave you the update immediately regardless of your 'net location). Of course, going to itunes.apple.com will let you download the new version immediately, and they have simplified the process by requiring only an email address and the unchecking of two mailing list checkboxes...

  4. Re:So patched before public disclosure by pv2b · · Score: 3, Informative
    Of course, going to itunes.apple.com will let you download the new version immediately, and they have simplified the process by requiring only an email address and the unchecking of two mailing list checkboxes...
    You don't even need to enter an e-mail address. It's optional! I just unchecked the checkboxes and clicked on Download.
  5. Re:So patched before public disclosure by pizero · · Score: 5, Informative

    The security information can be found here.

    All Apple Security updates can be found here.

    You can sign up for email notification (with PGP) here.

    All that said, I've never seen it take so long for an update like this to show up in software update. If this is a new policy (I can see marketing saying, "make them go to the website so we can show off new features"), I going to be unhappy.

  6. Kind of. by Anonymous Coward · · Score: 1, Informative

    While Apple does use Akamai to distribute their content, they have also historically done Software Update rollouts in a gradual manner. If you look back at the history of non-security updates, it's not uncommon for some people to have the update show up while others get the "no updates available."