Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple iTunes Hit With a New Critical Flaw

Posted by Zonk on from the watch-what-you-listen-to dept.

Jameson writes "Apple has released a new iTunes version to correct a security vulnerability reported by Mark Litchfield. FrSIRT and Secunia marked the flaw as "critical", because it can be exploited by malicious people to compromise a user's system via maliciously-crafted MPEG4 file. iTunes 4.8 addresses this issue by improving the validation checks used when loading MPEG4 files."

16 of 44 comments (clear)

  1. Not amazingly new by caerwyn · · Score: 5, Informative

    A security vulnerability for older versions of iTunes isn't exactly iTunes being hit with a critical vulnerability. It's already fixed- in the well-publicized update yesterday.

    --
    The ringing of the division bell has begun... -PF
  2. So patched before public disclosure by pv2b · · Score: 2, Interesting

    This is good. A software vendor releasing a patch for a security hole in a product before full-disclosure of the hole.

    Though I'm puzzled -- why doesn't iTunes 4.8 show up in my Software Update yet? (Mac OS X 10.4, current iTunes version 4.7.1.)

    1. Re:So patched before public disclosure by rich3rd · · Score: 3, Informative
      From the readme:

      What's new in iTunes 4.8
      iTunes 4.8 includes new Music Store features and support for transferring contacts and calendars from your computer to your iPod (requires Mac OS X version 10.4 on your computer).

      So, no mention of a security hole or its having been patched. Hmmm.

      I ran SU manually just now and it did not show up. I quit and re-launched version 4.7.1 to see if it would auto-check and it did not (as suggested above, perhaps this is a Windoze only feature). It has been suggested in comments to previous posts that they are rolling out the SU selectively to different parts of the 'net to ease the load on their servers (personally, I think it would be a nice touch if their servers also checked to see if you are one of their 'preferred' customers who has shelled out for a retail copy of Tiger, and gave you the update immediately regardless of your 'net location). Of course, going to itunes.apple.com will let you download the new version immediately, and they have simplified the process by requiring only an email address and the unchecking of two mailing list checkboxes...

    2. Re:So patched before public disclosure by pv2b · · Score: 3, Informative
      Of course, going to itunes.apple.com will let you download the new version immediately, and they have simplified the process by requiring only an email address and the unchecking of two mailing list checkboxes...
      You don't even need to enter an e-mail address. It's optional! I just unchecked the checkboxes and clicked on Download.
    3. Re:So patched before public disclosure by pizero · · Score: 5, Informative

      The security information can be found here.

      All Apple Security updates can be found here.

      You can sign up for email notification (with PGP) here.

      All that said, I've never seen it take so long for an update like this to show up in software update. If this is a new policy (I can see marketing saying, "make them go to the website so we can show off new features"), I going to be unhappy.

    4. Re:So patched before public disclosure by Devil's+Avocado · · Score: 2, Interesting

      Same for me. Have you moved iTunes.app out of /Applications? Software Update is annoyingly picky about having everything be there, despite Apple's "apps are drag-and-droppable" paradigm.

  3. read changelog, post advisory, rinse and repeat by __aaitqo8496 · · Score: 3, Interesting

    wait... did they just create an advisory based on changelog? didn't this happen with firefox not long ago?

  4. FrSIRT? by commodoresloat · · Score: 3, Funny

    Did they get the FrSIRT post in when they published this vulnerability?

  5. Misleading Article Title by Anonymous Coward · · Score: 5, Insightful

    Why is the title of this article "Apple iTunes Hit With a New Critical Flaw". Souln't it be "New Apple iTunes Fixes Critical Flaw"?

  6. Thanks for the FUD by amichalo · · Score: 5, Insightful

    Our old software with weaker DRM may render your computer insecure! Upgrade to our new fancy DRMtacular software!

    But TFAs don't say anything about this having to to with DRMed MP4s.

    In fact, I don't see how one could "specially craft" (per the articles) a DRM protected MP4 and allow it to be played on any computer. Certainly Apple isn't going to sell DRM protected songs that crash the user's computer.

    No, instead, this vulnerability would exist if people got a MP4 (AAC) song off a P2P fileshare where someone exploited the pre-4.8 iTunes.

    Again, your FUD is appreciated.

    --
    I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
    1. Re:Thanks for the FUD by pv2b · · Score: 2, Informative

      I think you misunderstand the grandparent poster.

      He was referring to apple working around DRM-circumvension software (I think it was called pyMusique) by updating iTunes.

      And it's convenient to tell people they *have* to update iTunes because of a security hole. (It IS convenient, yes, but I don't think that's Apple's intention. I don't think the grandparent was saying that either.)

    2. Re:Thanks for the FUD by ABaumann · · Score: 2, Insightful

      I was wondering when someone would play the troll card on this one. I'm certainly not surprised that it came in this form either. Other acceptable trolls would have been:

      - I told you OS X had major security issues.
      - I don't need to worry about it. iTunes doesn't run on my linux box.

      But yeah, of the three, yours is far better. I mean, since we all have hard disks and portable music players of infinite size, things like WAV and FLAC make perfect sense for the standard user. ...and don't give me that OGG or WMA is better then MP4/AAC bs because comparing lossy formats is just a waste of time.

  7. oh no by fulldecent · · Score: 4, Funny

    This is devastating! I need this fixed yesterday.

    --

    -- I was raised on the command line, bitch

  8. How Apple handles burst traffic by amichalo · · Score: 2, Interesting

    It has been suggested in comments to previous posts that they are rolling out the SU selectively to different parts of the 'net to ease the load on their servers...

    The process you suggest is not how Apple manages server load "bursting".

    Instead, Apple is a customer of Akamai, pretty much the only vendor (now that they bought their closest competitor, Speedera) of distributed hosting for On Demand (burst) Management and Content Delivery (used for iTunes Music Store) for global enterprises. These folks handle sites like Major League Baseball who get flooded with traffic on opening day and during the World Series and don't need to invest millions in infrastructure to handle these high-traffic times.

    If you want, take a look at the HTML source for apple's own websites. It used to be that all media (images, quicktime, etc) were served from an akamai URL but now apple has images.apple.com that must hide the Akamai relationship. Still, there are relecs like
    http://stream.qtv.apple.com/events/apple/akamai/01 0500/keynote010500vod_300.mov
    as an example.

    The iTunes Music Store uses Akamai to deliver those great download rates for the 160,000 songs per day they sell.

    --
    I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
  9. Slashdot News Hit With a New Stupid Title by fatalb7 · · Score: 2, Insightful


    Do we really need this kind sensationalism?
    The announce of the new version fixing this was posted on /. yesterday.

    Anything new?

  10. Update notice via iTunes by benwaggoner · · Score: 2, Insightful

    I just launched iTunes 4.7, and was prompted to download 4.8.

    Not via software update, but it's something.

    --

    My video compression blog