Apple iTunes Security Flaw Discovered?

brajesh writes "CNET News.com is reporting that a critical vulnerability has been found in some versions of Apple's popular iTunes that could allow attackers to remotely take over a user's computer, according to a warning issued by eEye Digital Security, a security research firm. The latest iTunes flaw affects all operating systems from Windows XP to Mac OS X, according to the advisory. The discovery of this latest flaw comes days after Apple issued its iTunes 6 for Windows security update."

Interesting

[andrewman327]

iTunes is interesting. It's network streaming music feature has been cracked over and over again, as any college student knows. I'm not surprised that someone figured out how to do more malicious things.

Wow. No Kidding.

[IAmTheDave]

Wow. Software has flaw allowing remote hackery. This seems to be pretty typical of just about any piece of software written these days (or any days.)

I guess the question is, do we measure a company and its software by its base security, or by how quickly it responds to a discovered threat? I'm personally inclined to lean towards the second.

Re:So what? And what do we know about this exploit

[Justin_Schuh]

iTunes has a lot more attack surface than than just file sharing via Bonjour. There's the potential for privelege escalation or remote exploit via the iPod service that comes with it. I agree that playing the disclosure game does encourage security companies to release hazy vulnerabilities reports early and often. But dismissing a security threats is generally not a good idea either.

Re:AllofMP3

[RzUpAnmsCwrds]

First. Please tell me, how is using allofmp3 different--morally or legally in the United States--from downloading the audio files from a P2P network?

It's easier, the files are higher-quality, and, at least in Russia, MediaServices has the rights to distribute the music that they are selling. Whether or not it is leagal for you to download those tracks has not been determined.


Second, what divinatory powers are you using to find that the security hole somehow relates to the iTunes Music Store? I'm not saying that it isn't, but that information is nowhere to be found in the security bulletin and iTunes has more network features than just the ability to hook up to the iTMS.


Unclear. But I despise iTunes for my own reasons - primarily because I cannot buy from the iTMS because Apple somehow believes that my IP is outside of the US, but also because the tracks are DRM-encumbered AAC files.

Not to mention the fact that iTunes is a memory hog, doesn't look or behave like a Windows application, etc.

Re:Bur, but..

[DJNephilim]

Uh....RTFA. It says that the OS X version is unaffected by this. Only the Windows version is vulnerable.

Re:from TFA

[ZachPruckowski]

Crazy idea: They aren't talking about OurTunes, are they? The program that lets people swipe music out of other users' shared libraries? I mean, that's limited to "local networks", right?

Re:AllofMP3

so with apple having sold over a billion songs.... they've paid out what... 40 million to artists?

hardly chump change when compared to the $0 that the artists got through allofmp3.

Re:AllofMP3

[31d1]

an interesting discussion of allofmp3's legality and mafia connections here: http://www.museekster.com/allofmp3faq.htm

Re:So

How about playing full-screen videos without paying.

Vector Speculation

[frankie]

With nothing more to go on than a couple vague sentences from eEye, here's my guess:

One major thing that make iTunes different from other music player apps is the Music Store integration, which operates as a limited web browser. On OSX it calls WebKit; on Windows either Apple built a custom minibrower or it calls Explorer. Does anyone know which, BTW?

In any case, this means that iTunes accepts URLs, specifically itms://[...]. It's also capable (on OSX at least) of launching your default browser and other URL helper apps. I'm guessing that Apple did a bad job validating input, and a malicious itms URL could trick iTunes into launching a remote file as if it were a helper app. Hence the local user context. If this is the case, simply viewing an evil web page (with the itms URL as a redirect/iframe/img/whatever) in most browsers should be sufficient to start the attack.

Hopefully someone will divulge the facts soon. Let's see if I'm even close.

Re:Is This Accurate?

[Foerstner]

no code can "take over" the computer without the user specifically giving admin privileges.

That's the definition of a "privilege escalation" vulnerability.

Malicious user A, who does not have root privileges, writes a bit of code to take advantage of a bug in application X, which has been legitimately given root privileges. The bug allows her code to run with root privileges as well, so it can then do anything it wants.

This is the kind of bug that allows a low-level but legitimate user to take control of a system.

However, that's not what the eEye report says. The iTunes bug is merely a "remote execution" vulnerability.

A remotely exploitable flaw exists that allows arbitrary code to be executed in the context of the logged in user.

The iTunes bug, it seems, is of the sort that allows an illegitimate attacker to run code on a system.

Meaning, if the "logged in user" does not have admin privileges, then the damage that this could do is more limited. (It could spy on that user's eMail, or run a server only while that user is logged in, etc.)

The really bad vulnerabilities are those that combine remote execution with privilege escalation, and allow an outside attacker to take total control of a system.