Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Apple

Apple iTunes Hit With a New Critical Flaw 44

Posted by Zonk from the watch-what-you-listen-to dept.
Jameson writes "Apple has released a new iTunes version to correct a security vulnerability reported by Mark Litchfield. FrSIRT and Secunia marked the flaw as "critical", because it can be exploited by malicious people to compromise a user's system via maliciously-crafted MPEG4 file. iTunes 4.8 addresses this issue by improving the validation checks used when loading MPEG4 files."
This discussion has been archived. No new comments can be posted.

Apple iTunes Hit With a New Critical Flaw More

Apple iTunes Hit With a New Critical Flaw

Comments Filter:

  • Not amazingly new (Score:5, Informative)

    by caerwyn ( 38056 ) on Tuesday May 10, 2005 @03:23PM (#12491502)
    A security vulnerability for older versions of iTunes isn't exactly iTunes being hit with a critical vulnerability. It's already fixed- in the well-publicized update yesterday.

  • So patched before public disclosure (Score:3, Interesting)

    by pv2b ( 231846 ) on Tuesday May 10, 2005 @03:24PM (#12491511)
    This is good. A software vendor releasing a patch for a security hole in a product before full-disclosure of the hole.

    Though I'm puzzled -- why doesn't iTunes 4.8 show up in my Software Update yet? (Mac OS X 10.4, current iTunes version 4.7.1.)
    • If you launch iTunes it should let you know that a new version is available and take you to the download page is you so desire, at least it did for me.
      • What platform is this on? I think the Windows version does that, but Apple didn't want to clutter every single program on OS X with update code and interfaces, and handle all updates centrally through "Software Update" instead.

        At least in theory. It didn't show up there yet for me. Oh well, I patched it manually already. Ironically it said something like "Next time, you can get this from Software Update and not go through this cumbersome pross next time" when I went to download it off Apple's web site.
        • From the readme:

          What's new in iTunes 4.8
          iTunes 4.8 includes new Music Store features and support for transferring contacts and calendars from your computer to your iPod (requires Mac OS X version 10.4 on your computer).

          So, no mention of a security hole or its having been patched. Hmmm.

          I ran SU manually just now and it did not show up. I quit and re-launched version 4.7.1 to see if it would auto-check and it did not (as suggested above, perhaps this is a Windoze only feature). It has been suggested

          • Of course, going to itunes.apple.com will let you download the new version immediately, and they have simplified the process by requiring only an email address and the unchecking of two mailing list checkboxes...
            You don't even need to enter an e-mail address. It's optional! I just unchecked the checkboxes and clicked on Download.
            • You don't even need to enter an e-mail address. It's optional! I just unchecked the checkboxes and clicked on Download.

              Damn! This means I wasted 2.7 seconds typing 'biteme@mybigfat.org' when all I had to do was click three times.

          • Re:So patched before public disclosure (Score:5, Informative)

            by pizero ( 461424 ) on Tuesday May 10, 2005 @04:24PM (#12492124)
            The security information can be found here [apple.com].

            All Apple Security updates can be found here [apple.com].

            You can sign up for email notification (with PGP) here [apple.com].

            All that said, I've never seen it take so long for an update like this to show up in software update. If this is a new policy (I can see marketing saying, "make them go to the website so we can show off new features"), I going to be unhappy.
          • It has been suggested in comments to previous posts that they are rolling out the SU selectively to different parts of the 'net to ease the load on their servers...

            The process you suggest is not how Apple manages server load "bursting".

            Instead, Apple is a customer of Akamai [akamai.com], pretty much the only vendor (now that they bought their closest competitor, Speedera) of distributed hosting for On Demand (burst) Management and Content Delivery (used for iTunes Music Store) for global enterprises. These folks han

            • Kind of. (Score:1, Informative)

              by Anonymous Coward
              While Apple does use Akamai to distribute their content, they have also historically done Software Update rollouts in a gradual manner. If you look back at the history of non-security updates, it's not uncommon for some people to have the update show up while others get the "no updates available."
              • If you look back at the history of non-security updates, it's not uncommon for some people to have the update show up while others get the "no updates available."

                I would be interested to read about this. Do you have a link to more information?
      • Hmmm, weird. I am running 10.4 and it came up for me. . .
      • I just tried it on OS X Tiger, both by manually checking for updates, and by launching iTunes fresh, and neither showed the update as being available.

  • read changelog, post advisory, rinse and repeat (Score:4, Interesting)

    by __aaitqo8496 ( 231556 ) on Tuesday May 10, 2005 @03:24PM (#12491513) Journal
    wait... did they just create an advisory based on changelog? didn't this happen with firefox not long ago?
  • From TFA: A vulnerability has been reported in iTunes, which potentially can be exploited by malicious people to compromise a user's system [...] caused (by) a boundary error [...] and can be exploited to cause a buffer overflow via a specially crafted MPEG-4 file [...] (that could) allow execution of arbitrary code.

    This is worrisome on one hand, but on the other, there is no description of what it takes to "specially craft" an MP4 to take advantage of the exploit.

    I chalk it up as yet another reason to u
    • You forgot the liner notes which, finally, come with that particular Dave Matthews Band album.
    • - syncing of contacts/calendars to iPod

      Not sure I understand the value of this. I drop my iPod in the cradle, iTunes launches and syncs any new music, and iSync launches and syncs any contact/calendar changes. Not sure why they didn't move it the other way, where iSync is in charge of syncing the music to the iPod...
      • Let me help clarify...

        For Windows users, iSync doesn't exist. On June 6, Steve Jobs is giving a keynote at WWDC2005 and will likely introduce the Apple/Motorola iTunes phone. This device will need to sync not only music but contacts and calendar entries too. So, they built the functionalty into iTunes.

        You can still use iSync since you use a Mac. For Windows users, this functionality will prepare them for "one more thing(tm)".

  • FrSIRT? (Score:4, Funny)

    by commodoresloat ( 172735 ) on Tuesday May 10, 2005 @03:29PM (#12491571)
    Did they get the FrSIRT post in when they published this vulnerability?

  • Misleading Article Title (Score:5, Insightful)

    by Anonymous Coward on Tuesday May 10, 2005 @03:32PM (#12491609)
    Why is the title of this article "Apple iTunes Hit With a New Critical Flaw". Souln't it be "New Apple iTunes Fixes Critical Flaw"?
    • It's about the focus. The former headline puts the focus on the flaw, while the latter headline puts the focus on the update to iTunes.

      As the summary leaves out other features the iTunes update has while explaining the critical flaw that iTunes faced, the submitter clearly intended to focus on the security issues, hence he chose the former headline, which is accurate.

      In any case, if the latter headline were used, it wouldn't be as news-worthy, as it would seem to be more of a Slashvertisement for iTunes t

  • oh no (Score:5, Funny)

    by fulldecent ( 598482 ) on Tuesday May 10, 2005 @03:48PM (#12491770) Homepage
    This is devastating! I need this fixed yesterday.
    • -- I was raised on the command line, bitch
      You think you had it bad? I was raised by the command lines of DOS and Linux, IRC and shock sites [wikipedia.org]. Chiefly by IRC though.

      And now I'm a Mac OS X user. Go figure. :-)

  • Do we really need this kind sensationalism?
    The announce of the new version fixing this was posted on /. yesterday.

    Anything new?
  • Time between Apple vulnerability being found and patched: Measured with a stopwatch.

    Time between Microsoft vulnerability being found and patched: Measured by counting redwood tree rings.

    Alternately, we could measure Microsoft's patch time by the number of spam e-mails an unpatched zombie system sends out. "Wow, Microsoft patched that security hole after only 9,000,000 SoBigs! They're really improving!"

    Crow T. Trollbot

Slashdot Top Deals

Living on Earth may be expensive, but it includes an annual free trip around the Sun.

Close