Original URL: http://www.theregister.co.uk/2007/09/07/itunes_bug_patched/
Apple patches critical iTunes bug
Buffer overflow risk neutered
Posted in Security, 7th September 2007 10:15 GMT
In all the hoopla surrounding Apple's announcement of its revamped line of iPods on Wednesday, many users might have missed the company's update to iTunes, which includes a fix for a serious security flaw.
The update, which brings the consumer technology company's iTunes music software to version 7.4 (http://www.apple.com/itunes/download/), adds the ability to turn previously bought music into ringtones and the ability to buy songs wirelessly using the iPhone and network-capable iPods. The update also patches a serious security vulnerability that could allow a specially-crafted music file to crash or take control of a victim's Windows PC or Mac, the company stated in an advisory (http://docs.info.apple.com/article.html?artnum=306404).
"A buffer overflow exists in iTunes when processing album cover art," the company stated. "By enticing a user to open a maliciously crafted music file, an attacker may trigger the overflow which may lead to an unexpected application termination or arbitrary code execution."
Apple has patched more than 100 vulnerabilities (http://www.securityfocus.com/brief/532) in its Mac OS X operating system and applications this year. Many security researchers and hackers have begun to focus (http://www.securityfocus.com/news/11478) on the consumer technology company's latest mobile device, the iPhone, which received it first patch (http://www.securityfocus.com/brief/560) in July.
Apple credited iSEC Partners (http://www.isecpartners.com/) with the discovery of the vulnerability.
A nod to ZDNet's Zero Day blog (http://blogs.zdnet.com/security/?p=496).
This article originally appeared in Security Focus (http://www.securityfocus.com/brief/584).
Copyright © 2007, SecurityFocus (http://www.securityfocus.com/)