Slashdot Mirror
Apple iTunes Security Flaw Discovered?
brajesh writes "CNET News.com is reporting that a critical vulnerability has been found in some versions of Apple's popular iTunes that could allow attackers to remotely take over a user's computer, according to a warning issued by eEye Digital Security, a security research firm. The latest iTunes flaw affects all operating systems from Windows XP to Mac OS X, according to the advisory. The discovery of this latest flaw comes days after Apple issued its iTunes 6 for Windows security update."
Nothing yet, since details of the flaw won't be released by eEye until a patch is released by Apple.
If someone is wondering "should I be worried", the answer is no; exploits of this nature are usually still theoretical and not being exploited en masse "in the wild". Many of these exploits are explicitly discovered by the security organizations who have released the advisories themselves and are often not necessarily representative of any actual exploit being applied maliciously: the idea is to catch security vulnerabilities before they are actually used maliciously. Further, the exploit in question probably requires the user to specifically visit a malicious web site (other than a port open via Rende..., er I mean, Bonjour, when iTunes Sharing is enabled, I don't know of any other avenue to exploit iTunes). The exploit must, therefore, pass a url and/or file to iTunes, and therefore would very likely require visiting a malicious web site.
We don't know the details of the exploit, I can still say with it's extremely likely that it is not something that would be able to spontaneously occur simply by using iTunes in a normal fashion.
This story would more accurately be:
"Some unknown and unannounced flaw found in a piece of software; fix coming from software vendor"
Is this news?
(And it's amusing that if you buy a commercial product from the vendor issuing the vulnerability, you'll be protected! Not a rip on eEye, who has discovered a good deal of vulnerabilities, but it's not as if many of these security entities themselves don't have an interest in finding "vulnerabilities", no matter how nebulous or unlikely.)
A security flaw in an Apple product? That's inconceivable!
Wow. Software has flaw allowing remote hackery. This seems to be pretty typical of just about any piece of software written these days (or any days.)
I guess the question is, do we measure a company and its software by its base security, or by how quickly it responds to a discovered threat? I'm personally inclined to lean towards the second.
Excuse my speling.
Making The Bar Project
What TFA doesn't point out is that this will only affect OS X users if you're logged in as root.
You can get it without iTunes from here: http://www.apple.com/quicktime/download/standalone .html
Apple Hackers: 1
Linux Hackers: 2
Windows Hackers: 134,443,229
You guys still got a ways to go... =-)
"Murderer? Well, that's a harsh word. I prefer to think of myself as a Mortality Technician."
Operating Systems Affected:
All Microsoft Operatins Systems no where does this advisory say that OSX is affected, or any other operating system for that matter. This is Windows-Only, as usual.
First. Please tell me, how is using allofmp3 different--morally or legally in the United States--from downloading the audio files from a P2P network?
Second, what divinatory powers are you using to find that the security hole somehow relates to the iTunes Music Store? I'm not saying that it isn't, but that information is nowhere to be found in the security bulletin and iTunes has more network features than just the ability to hook up to the iTMS.
Integrate Keynote and LaTeX
I don't know the details of the situation, but there are plenty of things an exploit can do even without root: delete or read your files, open up a spam relay, perhaps even log your keystrokes. Is there something special about the nature of this flaw that it can't be exploited at all without root access?
iTunes has a lot more attack surface than than just file sharing via Bonjour. There's the potential for privelege escalation or remote exploit via the iPod service that comes with it. I agree that playing the disclosure game does encourage security companies to release hazy vulnerabilities reports early and often. But dismissing a security threats is generally not a good idea either.
Both, of course. The first shows how good they are at actually designing and creating software, and the second shows how much they listen to their users/their lawyers/the press. (Take your pick.)
'Sensible' is a curse word.
Well, not impossible. Go to System Preferences -> Sharing -> Remote Apple Events. Turn it on. Now someone can do pretty much what they want with your system. If they have a valid username/password (or you turned on the Mac OS 9 password
I could, for example, do something like: That would be mean and cruel. And it works over the Internet. And it would also require me to have a username and password on your machine.
And, for what it's worth, eEye will release the "details", whatever they are, after Apple has patched whatever the issue is.
And if they do, I will care at that time. It's the height of irresponsibility to release details in this way. The only point is to scare people into buying their product. And therefore I consider it, until actual details emerge, a malicious hoax.
This may allow a malicious user on the local system to create an environment where an alternate program will be executed by iTunes.
Emphasis mine.
It would seem that remote attacks not possible unless the attacker had direct access to the machine in question first.
-- it's ridiculous how many people misspell ridiculous... (damn, damn, damn...)
Wow, you found a perfect and non-exploitable piece of saoftware.
Tell me, was it made by Pixies, or Fairies?
The Kruger Dunning explains most post on
This new critical vulnerability was discovered when it was found that someone turned their computer to 'ON' thereby leaving it vulnerable to crackers, hackers, script kiddies and bots. The fact that a human was operating the PC deemed it especially 'critical.'
He who knows best knows how little he knows. - Thomas Jefferson
With nothing more to go on than a couple vague sentences from eEye, here's my guess:
One major thing that make iTunes different from other music player apps is the Music Store integration, which operates as a limited web browser. On OSX it calls WebKit; on Windows either Apple built a custom minibrower or it calls Explorer. Does anyone know which, BTW?
In any case, this means that iTunes accepts URLs, specifically itms://[...]. It's also capable (on OSX at least) of launching your default browser and other URL helper apps. I'm guessing that Apple did a bad job validating input, and a malicious itms URL could trick iTunes into launching a remote file as if it were a helper app. Hence the local user context. If this is the case, simply viewing an evil web page (with the itms URL as a redirect/iframe/img/whatever) in most browsers should be sufficient to start the attack.
Hopefully someone will divulge the facts soon. Let's see if I'm even close.
Is this a case of eEye E-I/O?
-b
myselfmusic
": This story initially quoted an incorrect report on the eEye Digital Security Web site saying an iTunes security flaw affected both Windows and Mac operating systems. To clarify, eEye is still testing the flaw on the Mac OS."
My parents went to Las Vegas so that i could witness "'Peak Oil'".
The advisory has been corrected.
After eEye mistakenly posted a note on its Web site saying the iTunes flaw affected "all operating systems," the security firm updated its warning to indicate that the flaw had been found only on the Windows operating system so far.
from the corrected advisory:
Operating Systems Affected:
All Microsoft Operatins Systems
No other OSes listed, just MS. So Mac OS X is not known to be affected.