Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple iTunes Security Flaw Discovered?

Posted by Zonk on from the unfortunate-song dept.

brajesh writes "CNET News.com is reporting that a critical vulnerability has been found in some versions of Apple's popular iTunes that could allow attackers to remotely take over a user's computer, according to a warning issued by eEye Digital Security, a security research firm. The latest iTunes flaw affects all operating systems from Windows XP to Mac OS X, according to the advisory. The discovery of this latest flaw comes days after Apple issued its iTunes 6 for Windows security update."

17 of 207 comments (clear)

  1. Only as root by Anonymous Coward · · Score: 5, Informative

    What TFA doesn't point out is that this will only affect OS X users if you're logged in as root.

    1. Re:Only as root by Yahweh+Doesn't+Exist · · Score: 3, Informative

      also note (for non Mac OSX users) that root login is disabled by default.

      in my life I've only ever logged in as root on a Mac once. just to see what it was like.

  2. quicktime standalone by ubergrits · · Score: 5, Informative

    You can get it without iTunes from here: http://www.apple.com/quicktime/download/standalone .html

  3. Re:Awesome by Braino420 · · Score: 3, Informative

    And with the ml_ipod plugin for winamp, you won't ever have to look back!

    --
    They call me the wookie man, I guess that's what I am
  4. Vulnerable Operating Systems by xWastedMindx · · Score: 5, Informative

    Operating Systems Affected:
    All Microsoft Operatins Systems     no where does this advisory say that OSX is affected, or any other operating system for that matter. This is Windows-Only, as usual.

    1. Re:Vulnerable Operating Systems by brajesh · · Score: 4, Informative

      eEye has modified the security advisory page within last few hours. my personal GDS cache still shows the flaw affecting all operating systems, as it was when I submitted the story.

      --
      95% of all sigs are made up.
  5. I don't own an iPod, but I still have iTunes by Fox_1 · · Score: 3, Informative

    It's annoying the way that Quicktime installs iTunes software on your machine, and buries it in registry so that it starts every time windows does. If you are looking to just have quicktime I would advise you to try an alternative or download the standalone from here.

    --
    The rock, the vulture, and the chain
    1. Re:I don't own an iPod, but I still have iTunes by Phroggy · · Score: 3, Informative

      If you already have QuickTime installed, it should certainly be possible to download and install iTunes without QuickTime attached (but I don't think Apple makes this available for Windows; they do for Mac). However, iTunes definitely won't work without QuickTime. As another poster mentioned, iTunes uses QuickTime for media playback (which is why if you want to play Ogg Vorbis files in iTunes, the plugin you need is a QuickTime plugin which will work with all apps that use QuickTime including iTunes). However, QuickTime for Windows also includes a significant chunk of the Carbon API, which iTunes was written for. On Mac OS X (and Mac OS 8.5 and up with CarbonLib installed), the Carbon API is provided by the operating system (alongside the Cocoa API on OSX), but on Windows, without QuickTime there's no Carbon and without Carbon there's no iTunes.

      Why does QuickTime include (parts of) Carbon? Because it was easier to port a chunk of Carbon (or rather, the Macintosh Toolbox, which is what Carbon grew from) to Windows than to rewrite QuickTime to use the Win32 API.

      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  6. Re:Is This Accurate? by weddellharbor · · Score: 2, Informative

    Right - for some strange reason, CNET's report says that it affects XP and OSX, yet the eEye report specifies that it is Windows-only. I wonder why . . .

  7. Re:Bur, but.. by falcon5768 · · Score: 3, Informative
    um no one ever said Macs where invunerable, infact many of us OS9ers remember the quicktime worm that made its self known from of all things a MacAddict CD. Its just compaired to windows we are a fractional percentage of as vulnerable as a windows machine is, which is practically saying we are invunerable.

    Its basically like saying we are water resistant, while Win users are those cheap burger king watches that break by just being out on a humid day

    --

    "Slashdot, where telling the truth is overrated but lying is insightful."

  8. from TFA by circusboy · · Score: 5, Informative

    This may allow a malicious user on the local system to create an environment where an alternate program will be executed by iTunes.

    Emphasis mine.

    It would seem that remote attacks not possible unless the attacker had direct access to the machine in question first.

    --
    -- it's ridiculous how many people misspell ridiculous... (damn, damn, damn...)
  9. Where does it say it effects OS X? by Alpha_Traveller · · Score: 3, Informative

    The article says it effects Mac OS X as well as windows, and says the security warning says that too, but:

    "Operating Systems Affected:
    All Microsoft Operatins Systems"

    No mention of anything other than Microsoft OS'es in the provided link to the advisory.

    --
    "Love is like pi - natural, irrational, and very important." (Lisa Hoffman)
  10. Re:AllofMP3 by Deekin_Scalesinger · · Score: 2, Informative

    By Jove, youre right!

    celestina 11:21am /usr/home/celestina: w allofmp3.com

          Organization:
                OOO MediaServices
                Ivan Fedorov
                Planetnaya str. 29
                Moscow, 125167
                RU
                Phone: +7 095 506-5258
                Fax..: +7 095 506-5258
                Email: admin@allofmp3.com

          Registrar Name....: Register.com
          Registrar Whois...: whois.register.com
          Registrar Homepage: http://www.register.com

          Domain Name: ALLOFMP3.COM

                Created on..............: Tue, Jun 20, 2000
                Expires on..............: Fri, Jun 20, 2008
                Record last updated on..: Thu, Feb 12, 2004

          Administrative Contact:
                OOO MediaServices
                Ivan Fedorov
                Planetnaya str. 29
                Moscow, 125167
                RU
                Phone: +7 095 506-5258
                Fax..: +7 095 506-5258
                Email: admin@allofmp3.com

          Technical Contact:
                OOO MediaServices
                Ivan Fedorov
                Planetnaya str. 29
                Moscow, 125167
                RU
                Phone: +7 095 506-5258
                Fax..: +7 095 506-5258
                Email: admin@allofmp3.com

          Zone Contact:
                OOO MediaServices
                Ivan Fedorov
                Planetnaya str. 29
                Moscow, 125167
                RU
                Phone: +7 095 506-5258
                Fax..: +7 095 506-5258
                Email: admin@allofmp3.com

    --
    "As the intrepid kobold companion continues his journey, he begins to wonder... if priests raises dead, why anybody die?
  11. Re:And The Score Is... by uncitizen · · Score: 2, Informative

    Unfortunately, even we have to take a hit. Everyone who ran OpenSSH verison (???). Again, I forget the version, but it got everyone. That's OpenBSD's "Only one remote hole in the default install, in more than 8 years!"

  12. Correction by U2C · · Score: 4, Informative

    ": This story initially quoted an incorrect report on the eEye Digital Security Web site saying an iTunes security flaw affected both Windows and Mac operating systems. To clarify, eEye is still testing the flaw on the Mac OS."

    --
    My parents went to Las Vegas so that i could witness "'Peak Oil'".
  13. Re:Vector Speculation by squiggleslash · · Score: 3, Informative
    I recall reading somewhere that iTunes actually uses QuickTime, there's no WebKit/HTML in iTunes.

    On occasion, I've been bored enough to comb through my Squid proxy logs for precisely this kind of thing, and curl'd URLs to see exactly what it uses. It's some sort of XML system, but it's not HTML, and I don't see them rendering it with an HTML renderer.

    It's possible the rest of your comment is true, though I'd assume this would make the hack more of a QuickTime-in-general issue rather than something limited to iTunes.

    --
    You are not alone. This is not normal. None of this is normal.
  14. Does not affect Mac OS X by Raffaello · · Score: 4, Informative

    The advisory has been corrected.

    After eEye mistakenly posted a note on its Web site saying the iTunes flaw affected "all operating systems," the security firm updated its warning to indicate that the flaw had been found only on the Windows operating system so far.

    from the corrected advisory:

    Operating Systems Affected:
    All Microsoft Operatins Systems

    No other OSes listed, just MS. So Mac OS X is not known to be affected.