Apple iTunes Hit With a New Critical Flaw 44
Jameson writes "Apple has released a new iTunes version to correct a security vulnerability reported by Mark Litchfield. FrSIRT and Secunia marked the flaw as "critical", because it can be exploited by malicious people to compromise a user's system via maliciously-crafted MPEG4 file.
iTunes 4.8 addresses this issue by improving the validation checks used when loading MPEG4 files."
Thanks for the FUD (Score:5, Insightful)
But TFAs don't say anything about this having to to with DRMed MP4s.
In fact, I don't see how one could "specially craft" (per the articles) a DRM protected MP4 and allow it to be played on any computer. Certainly Apple isn't going to sell DRM protected songs that crash the user's computer.
No, instead, this vulnerability would exist if people got a MP4 (AAC) song off a P2P fileshare where someone exploited the pre-4.8 iTunes.
Again, your FUD is appreciated.
Re:Thanks for the FUD (Score:2, Informative)
He was referring to apple working around DRM-circumvension software (I think it was called pyMusique) by updating iTunes.
And it's convenient to tell people they *have* to update iTunes because of a security hole. (It IS convenient, yes, but I don't think that's Apple's intention. I don't think the grandparent was saying that either.)
Re:Thanks for the FUD (Score:2)
Re:Thanks for the FUD (Score:2, Insightful)
- I told you OS X had major security issues.
- I don't need to worry about it. iTunes doesn't run on my linux box.
But yeah, of the three, yours is far better. I mean, since we all have hard disks and portable music players of infinite size, things like WAV and FLAC make perfect sense for the standard user.
Re:Thanks for the FUD (Score:2)
Oooor got it off of some garage band's web site, or decided they liked the background music at a web site and downloaded it and stuck it in iTunes, or (possibly) downloaded a video mpeg4 file from somewhere on the net and imported THAT into iTunes. (Yes, you can; in fact, I've done it accidentally a number of times, with video files that were mis-typed by web servers
Not amazingly new (Score:5, Informative)
So patched before public disclosure (Score:3, Interesting)
Though I'm puzzled -- why doesn't iTunes 4.8 show up in my Software Update yet? (Mac OS X 10.4, current iTunes version 4.7.1.)
Re:So patched before public disclosure (Score:1)
Re:So patched before public disclosure (Score:1)
At least in theory. It didn't show up there yet for me. Oh well, I patched it manually already. Ironically it said something like "Next time, you can get this from Software Update and not go through this cumbersome pross next time" when I went to download it off Apple's web site.
Re:So patched before public disclosure (Score:3, Informative)
What's new in iTunes 4.8
iTunes 4.8 includes new Music Store features and support for transferring contacts and calendars from your computer to your iPod (requires Mac OS X version 10.4 on your computer).
So, no mention of a security hole or its having been patched. Hmmm.
I ran SU manually just now and it did not show up. I quit and re-launched version 4.7.1 to see if it would auto-check and it did not (as suggested above, perhaps this is a Windoze only feature). It has been suggested
Re:So patched before public disclosure (Score:3, Informative)
Re:So patched before public disclosure (Score:1)
Damn! This means I wasted 2.7 seconds typing 'biteme@mybigfat.org' when all I had to do was click three times.
Re:So patched before public disclosure (Score:5, Informative)
All Apple Security updates can be found here [apple.com].
You can sign up for email notification (with PGP) here [apple.com].
All that said, I've never seen it take so long for an update like this to show up in software update. If this is a new policy (I can see marketing saying, "make them go to the website so we can show off new features"), I going to be unhappy.
Update notice via iTunes (Score:3, Insightful)
Not via software update, but it's something.
Re:So patched before public disclosure (Score:1)
How Apple handles burst traffic (Score:3, Interesting)
The process you suggest is not how Apple manages server load "bursting".
Instead, Apple is a customer of Akamai [akamai.com], pretty much the only vendor (now that they bought their closest competitor, Speedera) of distributed hosting for On Demand (burst) Management and Content Delivery (used for iTunes Music Store) for global enterprises. These folks han
Kind of. (Score:1, Informative)
Re:Kind of. (Score:2)
I would be interested to read about this. Do you have a link to more information?
Re:So patched before public disclosure (Score:1)
Re:So patched before public disclosure (Score:1)
Re:So patched before public disclosure (Score:3, Interesting)
read changelog, post advisory, rinse and repeat (Score:4, Interesting)
TFA is pretty short on description (Score:2)
This is worrisome on one hand, but on the other, there is no description of what it takes to "specially craft" an MP4 to take advantage of the exploit.
I chalk it up as yet another reason to u
Re:TFA is pretty short on description (Score:2)
Re:TFA is pretty short on description (Score:2)
Not sure I understand the value of this. I drop my iPod in the cradle, iTunes launches and syncs any new music, and iSync launches and syncs any contact/calendar changes. Not sure why they didn't move it the other way, where iSync is in charge of syncing the music to the iPod...
Re:TFA is pretty short on description (Score:2)
For Windows users, iSync doesn't exist. On June 6, Steve Jobs is giving a keynote at WWDC2005 and will likely introduce the Apple/Motorola iTunes phone. This device will need to sync not only music but contacts and calendar entries too. So, they built the functionalty into iTunes.
You can still use iSync since you use a Mac. For Windows users, this functionality will prepare them for "one more thing(tm)".
FrSIRT? (Score:4, Funny)
Misleading Article Title (Score:5, Insightful)
Re:Misleading Article Title (Score:2, Flamebait)
As the summary leaves out other features the iTunes update has while explaining the critical flaw that iTunes faced, the submitter clearly intended to focus on the security issues, hence he chose the former headline, which is accurate.
In any case, if the latter headline were used, it wouldn't be as news-worthy, as it would seem to be more of a Slashvertisement for iTunes t
oh no (Score:5, Funny)
Re:Your sig (Score:1)
And now I'm a Mac OS X user. Go figure.
Slashdot News Hit With a New Stupid Title (Score:2, Insightful)
Do we really need this kind sensationalism?
The announce of the new version fixing this was posted on
Anything new?
The Difference Between Apple & Microsoft Patch (Score:1, Funny)
Time between Microsoft vulnerability being found and patched: Measured by counting redwood tree rings.
Alternately, we could measure Microsoft's patch time by the number of spam e-mails an unpatched zombie system sends out. "Wow, Microsoft patched that security hole after only 9,000,000 SoBigs! They're really improving!"
Crow T. Trollbot