Slashdot Mirror
Apple iTunes Security Flaw Discovered?
brajesh writes "CNET News.com is reporting that a critical vulnerability has been found in some versions of Apple's popular iTunes that could allow attackers to remotely take over a user's computer, according to a warning issued by eEye Digital Security, a security research firm. The latest iTunes flaw affects all operating systems from Windows XP to Mac OS X, according to the advisory. The discovery of this latest flaw comes days after Apple issued its iTunes 6 for Windows security update."
Nothing yet, since details of the flaw won't be released by eEye until a patch is released by Apple.
If someone is wondering "should I be worried", the answer is no; exploits of this nature are usually still theoretical and not being exploited en masse "in the wild". Many of these exploits are explicitly discovered by the security organizations who have released the advisories themselves and are often not necessarily representative of any actual exploit being applied maliciously: the idea is to catch security vulnerabilities before they are actually used maliciously. Further, the exploit in question probably requires the user to specifically visit a malicious web site (other than a port open via Rende..., er I mean, Bonjour, when iTunes Sharing is enabled, I don't know of any other avenue to exploit iTunes). The exploit must, therefore, pass a url and/or file to iTunes, and therefore would very likely require visiting a malicious web site.
We don't know the details of the exploit, I can still say with it's extremely likely that it is not something that would be able to spontaneously occur simply by using iTunes in a normal fashion.
This story would more accurately be:
"Some unknown and unannounced flaw found in a piece of software; fix coming from software vendor"
Is this news?
(And it's amusing that if you buy a commercial product from the vendor issuing the vulnerability, you'll be protected! Not a rip on eEye, who has discovered a good deal of vulnerabilities, but it's not as if many of these security entities themselves don't have an interest in finding "vulnerabilities", no matter how nebulous or unlikely.)
Some of us dont like supporting the russian mafia. And remember, just because a forian government says artist dont have rights, does not mean you should agree. At least apple gives somthing back to the people who write and perform the music.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Well, that's not a lot of info.
All they say is: 'it's vulnerable! run for the hills!'.
I don't use iTunes, so I don't really care, but what's the vector? Is it a malformed MP3/AAC file? Does iTunes run as a service that listens to a certain port, and can it be attacked through there (probably not likely, as I don't see why a music player should be listening to some port)?
This lacks information, and you really can't do anything to protect yourself if you don't know how the hell the exploit works...
We don't know the details of the exploit, I can still say with it's extremely likely that it is not something that would be able to spontaneously occur simply by using iTunes in a normal fashion.
I can still say it's extremely likely that there is no exploit or flaw at all. Why would anyone believe it? There's no evidence of any kind that any exploit or flaw exists, at all.
This story would more accurately be: "Some unknown and unannounced flaw found in a piece of software; fix coming from software vendor"
Close, but more accurate still would be: "Some security company trying to drum up business for itself says its product will protect users from a flaw they claim exists, but offer no details or evidence for."
Yeah, and everyone knows there are _never_ security flaws in web browsers.
First. Please tell me, how is using allofmp3 different--morally or legally in the United States--from downloading the audio files from a P2P network?
Second, what divinatory powers are you using to find that the security hole somehow relates to the iTunes Music Store? I'm not saying that it isn't, but that information is nowhere to be found in the security bulletin and iTunes has more network features than just the ability to hook up to the iTMS.
Integrate Keynote and LaTeX
I don't know the details of the situation, but there are plenty of things an exploit can do even without root: delete or read your files, open up a spam relay, perhaps even log your keystrokes. Is there something special about the nature of this flaw that it can't be exploited at all without root access?
In fairness, eEye has discovered legitimate vulnerabilities that Apple has actually included in OS and security updates.
However, I do agree with you.
And further, it's impossible for this to a "remote execute" vulnerability like the stories based on the extremely vague advisory make it out to be: you can't even talk to iTunes remotely when it's running (unless you have iTunes Sharing enabled, which is available on your local subnet). Therefore, as I've said in another post, this vulnerability *must* be exploited via visiting a malicious web site, which then passes a url and/or file to iTunes. Period. That's the only way this could happen. It's not just something where if you run iTunes, all of a sudden you're vulnerable. Bravo to the way they've positioned it though. They probably floated out some media releases, too. I especially like the last line of the advisory:
Protection: Blink Endpoint Vulnerability Prevention mitigates any potential exploitation of this vulnerability, without requiring a patch or invasive firewall actions.
And, for what it's worth, eEye will release the "details", whatever they are, after Apple has patched whatever the issue is.
Both, of course. The first shows how good they are at actually designing and creating software, and the second shows how much they listen to their users/their lawyers/the press. (Take your pick.)
'Sensible' is a curse word.
Well, not impossible. Go to System Preferences -> Sharing -> Remote Apple Events. Turn it on. Now someone can do pretty much what they want with your system. If they have a valid username/password (or you turned on the Mac OS 9 password
I could, for example, do something like: That would be mean and cruel. And it works over the Internet. And it would also require me to have a username and password on your machine.
And, for what it's worth, eEye will release the "details", whatever they are, after Apple has patched whatever the issue is.
And if they do, I will care at that time. It's the height of irresponsibility to release details in this way. The only point is to scare people into buying their product. And therefore I consider it, until actual details emerge, a malicious hoax.
Of course, then you have to wonder how many of these vulnerabilities are discovered by Black Hats and never release information. Black Hats are probably sitting on hundreds of otherwise undiscovered exploits. There is no reason to believe that only "security organizations" can find exploits like this.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
Why would people believe it? Most likely because the company wouldn't want to be sued for libel by Apple.
I'll never make that mistake again, reading the experts' opinions. - Feynman