Slashdot Mirror
Apple iTunes Hit With a New Critical Flaw
Jameson writes "Apple has released a new iTunes version to correct a security vulnerability reported by Mark Litchfield. FrSIRT and Secunia marked the flaw as "critical", because it can be exploited by malicious people to compromise a user's system via maliciously-crafted MPEG4 file.
iTunes 4.8 addresses this issue by improving the validation checks used when loading MPEG4 files."
A security vulnerability for older versions of iTunes isn't exactly iTunes being hit with a critical vulnerability. It's already fixed- in the well-publicized update yesterday.
The ringing of the division bell has begun... -PF
wait... did they just create an advisory based on changelog? didn't this happen with firefox not long ago?
Did they get the FrSIRT post in when they published this vulnerability?
Why is the title of this article "Apple iTunes Hit With a New Critical Flaw". Souln't it be "New Apple iTunes Fixes Critical Flaw"?
Our old software with weaker DRM may render your computer insecure! Upgrade to our new fancy DRMtacular software!
But TFAs don't say anything about this having to to with DRMed MP4s.
In fact, I don't see how one could "specially craft" (per the articles) a DRM protected MP4 and allow it to be played on any computer. Certainly Apple isn't going to sell DRM protected songs that crash the user's computer.
No, instead, this vulnerability would exist if people got a MP4 (AAC) song off a P2P fileshare where someone exploited the pre-4.8 iTunes.
Again, your FUD is appreciated.
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
This is devastating! I need this fixed yesterday.
-- I was raised on the command line, bitch
What's new in iTunes 4.8
iTunes 4.8 includes new Music Store features and support for transferring contacts and calendars from your computer to your iPod (requires Mac OS X version 10.4 on your computer).
So, no mention of a security hole or its having been patched. Hmmm.
I ran SU manually just now and it did not show up. I quit and re-launched version 4.7.1 to see if it would auto-check and it did not (as suggested above, perhaps this is a Windoze only feature). It has been suggested in comments to previous posts that they are rolling out the SU selectively to different parts of the 'net to ease the load on their servers (personally, I think it would be a nice touch if their servers also checked to see if you are one of their 'preferred' customers who has shelled out for a retail copy of Tiger, and gave you the update immediately regardless of your 'net location). Of course, going to itunes.apple.com will let you download the new version immediately, and they have simplified the process by requiring only an email address and the unchecking of two mailing list checkboxes...
The security information can be found here.
All Apple Security updates can be found here.
You can sign up for email notification (with PGP) here.
All that said, I've never seen it take so long for an update like this to show up in software update. If this is a new policy (I can see marketing saying, "make them go to the website so we can show off new features"), I going to be unhappy.