Slashdot Mirror
Apple iTunes Hit With a New Critical Flaw
Jameson writes "Apple has released a new iTunes version to correct a security vulnerability reported by Mark Litchfield. FrSIRT and Secunia marked the flaw as "critical", because it can be exploited by malicious people to compromise a user's system via maliciously-crafted MPEG4 file.
iTunes 4.8 addresses this issue by improving the validation checks used when loading MPEG4 files."
Our old software with weaker DRM may render your computer insecure! Upgrade to our new fancy DRMtacular software!
A security vulnerability for older versions of iTunes isn't exactly iTunes being hit with a critical vulnerability. It's already fixed- in the well-publicized update yesterday.
The ringing of the division bell has begun... -PF
Maybe this is a sign that apple is moving to fast. They are expanding in every direction (new os, new apps, new features in every app, new hardware). It will be difficult for Apple to keep the quality high as the volume keeps increasing.
This is good. A software vendor releasing a patch for a security hole in a product before full-disclosure of the hole.
Though I'm puzzled -- why doesn't iTunes 4.8 show up in my Software Update yet? (Mac OS X 10.4, current iTunes version 4.7.1.)
wait... did they just create an advisory based on changelog? didn't this happen with firefox not long ago?
From TFA: A vulnerability has been reported in iTunes, which potentially can be exploited by malicious people to compromise a user's system [...] caused (by) a boundary error [...] and can be exploited to cause a buffer overflow via a specially crafted MPEG-4 file [...] (that could) allow execution of arbitrary code.
This is worrisome on one hand, but on the other, there is no description of what it takes to "specially craft" an MP4 to take advantage of the exploit.
I chalk it up as yet another reason to upgrade to iTunes 4.8
Other reasons to upgrade include:
- support for video within iTunes (like that included in the $11.98 Dave Matthews Band album Stand Up
- syncing of contacts/calendars to iPod
Disclaimer: This is not an ad
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
Did they get the FrSIRT post in when they published this vulnerability?
Why is the title of this article "Apple iTunes Hit With a New Critical Flaw". Souln't it be "New Apple iTunes Fixes Critical Flaw"?
Our old software with weaker DRM may render your computer insecure! Upgrade to our new fancy DRMtacular software!
But TFAs don't say anything about this having to to with DRMed MP4s.
In fact, I don't see how one could "specially craft" (per the articles) a DRM protected MP4 and allow it to be played on any computer. Certainly Apple isn't going to sell DRM protected songs that crash the user's computer.
No, instead, this vulnerability would exist if people got a MP4 (AAC) song off a P2P fileshare where someone exploited the pre-4.8 iTunes.
Again, your FUD is appreciated.
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
This is devastating! I need this fixed yesterday.
-- I was raised on the command line, bitch
And now I'm a Mac OS X user. Go figure.
It has been suggested in comments to previous posts that they are rolling out the SU selectively to different parts of the 'net to ease the load on their servers...
1 0500/keynote010500vod_300.mov
The process you suggest is not how Apple manages server load "bursting".
Instead, Apple is a customer of Akamai, pretty much the only vendor (now that they bought their closest competitor, Speedera) of distributed hosting for On Demand (burst) Management and Content Delivery (used for iTunes Music Store) for global enterprises. These folks handle sites like Major League Baseball who get flooded with traffic on opening day and during the World Series and don't need to invest millions in infrastructure to handle these high-traffic times.
If you want, take a look at the HTML source for apple's own websites. It used to be that all media (images, quicktime, etc) were served from an akamai URL but now apple has images.apple.com that must hide the Akamai relationship. Still, there are relecs like
http://stream.qtv.apple.com/events/apple/akamai/0
as an example.
The iTunes Music Store uses Akamai to deliver those great download rates for the 160,000 songs per day they sell.
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
Indeed. The quality of Apple's most basic software The Finder has dumfounded experts everywhere with it's amazing and unique attributes, but it's the Finder's rock solid stability which has won hearts. Reports of arbitrary crashing, arbitrary icon replacement, corruption of data on .dmg files, not connecting to other networks properly and having no proper error handling for bad connections to those networks, the lack of realtime update of files, no read/write for ftp volumes, arbitrary changing and resetting of directory views and changing of default options to manage them were all lies constructed by industrial sabateurs.
Other great software innovations by Apple include Dashboard which although indentical in every conceivable way to Konfabulator is actually an extension on an idea of Desk Accessories that Apple neglected as a technology for about 15 years, then suddenly decided to remember sometime recently. It is totally absolutely realistic that Dashboard would have existed exactly like it does if Konfabulator had not appeared, and anyone who says not is a troll.
Experts also applaude Apple's other revolutionary piece of software called 'Preview'. Preview shows Apple's daring break with tradition when it comes to viewing PDFs by eliminating the de-facto standard keyboard shortcut for quick panning and scrolling; the Space bar, or the number 2 shortcut "alt" with Command 1 to put you into scroll tool mode.
Also Apple impressed everyone with preview's incredible random size picture display technology. Tired of looking at a picture the size it actually is ? No problem, fire up Preview and open a bunch of files and watch your images appear at an amazing arbitrary jumble of different sizes from thumbnail to print res.
Also useful was that Preview cannot have pictures dragged directly onto it's windows, which Apple chose to express it's superior quality to competing products.
Preview is also 110% stable and never crashes no matter what. Reports that Preview crashes with any slightly dodgy jpeg, or crashes if it can't access a volume are complete lies.
Do we really need this kind sensationalism?
The announce of the new version fixing this was posted on
Anything new?
While Apple does use Akamai to distribute their content, they have also historically done Software Update rollouts in a gradual manner. If you look back at the history of non-security updates, it's not uncommon for some people to have the update show up while others get the "no updates available."
At first I was like "Wow, an apple vulnerablity! Why is this not on the front page of Slashdot?"
Then I realized it was false, sensational and misleading title, which was referred to yesterday on the front page of slashdot.
After I realized that I wondered, "Why isn't this on the front page of slashdot?!?!? It fits all the criteria.
http://www.veganfilm/
It comes from "i was raised on the dairy bitch"
Time between Microsoft vulnerability being found and patched: Measured by counting redwood tree rings.
Alternately, we could measure Microsoft's patch time by the number of spam e-mails an unpatched zombie system sends out. "Wow, Microsoft patched that security hole after only 9,000,000 SoBigs! They're really improving!"
Crow T. Trollbot
I just launched iTunes 4.7, and was prompted to download 4.8.
Not via software update, but it's something.
My video compression blog
I imagine that while the vulnerability affects both platforms, an exploit would target the Windows version only. Would an attacker be able to target Mac owners? I recall reading somewhere that the x86 architecture (on all platforms) is more vulnerable than PPC; could someone comment?