Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple iTunes Hit With a New Critical Flaw

Posted by Zonk on from the watch-what-you-listen-to dept.

Jameson writes "Apple has released a new iTunes version to correct a security vulnerability reported by Mark Litchfield. FrSIRT and Secunia marked the flaw as "critical", because it can be exploited by malicious people to compromise a user's system via maliciously-crafted MPEG4 file. iTunes 4.8 addresses this issue by improving the validation checks used when loading MPEG4 files."

4 of 44 comments (clear)

  1. So patched before public disclosure by pv2b · · Score: 2, Interesting

    This is good. A software vendor releasing a patch for a security hole in a product before full-disclosure of the hole.

    Though I'm puzzled -- why doesn't iTunes 4.8 show up in my Software Update yet? (Mac OS X 10.4, current iTunes version 4.7.1.)

    1. Re:So patched before public disclosure by Devil's+Avocado · · Score: 2, Interesting

      Same for me. Have you moved iTunes.app out of /Applications? Software Update is annoyingly picky about having everything be there, despite Apple's "apps are drag-and-droppable" paradigm.

  2. read changelog, post advisory, rinse and repeat by __aaitqo8496 · · Score: 3, Interesting

    wait... did they just create an advisory based on changelog? didn't this happen with firefox not long ago?

  3. How Apple handles burst traffic by amichalo · · Score: 2, Interesting

    It has been suggested in comments to previous posts that they are rolling out the SU selectively to different parts of the 'net to ease the load on their servers...

    The process you suggest is not how Apple manages server load "bursting".

    Instead, Apple is a customer of Akamai, pretty much the only vendor (now that they bought their closest competitor, Speedera) of distributed hosting for On Demand (burst) Management and Content Delivery (used for iTunes Music Store) for global enterprises. These folks handle sites like Major League Baseball who get flooded with traffic on opening day and during the World Series and don't need to invest millions in infrastructure to handle these high-traffic times.

    If you want, take a look at the HTML source for apple's own websites. It used to be that all media (images, quicktime, etc) were served from an akamai URL but now apple has images.apple.com that must hide the Akamai relationship. Still, there are relecs like
    http://stream.qtv.apple.com/events/apple/akamai/01 0500/keynote010500vod_300.mov
    as an example.

    The iTunes Music Store uses Akamai to deliver those great download rates for the 160,000 songs per day they sell.

    --
    I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.