ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Apple fixes iTunes man-in-the-middle security hole

By | November 14, 2011, 11:24am PST

Summary: The vulnerability affects both Mac OS X and Windows users and lets a man-in-the-middle attacker offer harmful software that appears to originate from Apple.

Apple today shipped an iTunes update to fix a serious security hole that could allow man-in-the-middle hacking attacks.

The iTunes 10.5.1, available for both Mac and Windows users, addresses a flaw that lets a man-in-the-middle attacker offer harmful software that appears to originate from Apple.

From Apple’s advisory:follow Ryan Naraine on twitter

iTunes periodically checks for software updates using an HTTP request to Apple. This request may cause iTunes to indicate that an update is available. If Apple Software Update for Windows is not installed, clicking the Download iTunes button may open the URL from the HTTP response in the user’s default browser. This issue has been mitigated by using a secured connection when checking for available updates. For OS X systems, the user’s default browser is not used because Apple Software Update is included with OS X, however this change adds additional defense-in-depth.

iTunes 10.5.1 can be downloaded directly from Apple’s web site.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security, Apple Inc., Apple iTunes, Software Update, Apple Mac OS X, Operating Systems, Software, Apple Mac OS, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

10
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Apple fixes iTunes man-in-the-middle security hole
ScorpioBlue 15th Nov
@Rick_Kl
I seriously doubt Charlie Miller is out to break the law. Cut the crap.
View in thread
0 Votes
+ -
RE: Apple fixes iTunes man-in-the-middle security hole
Rick_Kl 14th Nov
i see Charlie Miller is still Attacking Apple. I wonder if Ballmer is paying him more these days? This attack is from Miller,just like his attack on iOS, and was created using anApple SDK, rather than just finding some random flaw, like 99.98937% of windows flaws, and vulnerabilities wink :P
0 Votes
+ -
RE: Apple fixes iTunes man-in-the-middle security hole
Dodgson1832 14th Nov
@Rick_Kl Wait what? Did you read the same article that I just did? Color me confused.

Good thing this got fixed.
0 Votes
+ -
RE: Apple fixes iTunes man-in-the-middle security hole
Rick_Kl 14th Nov
@Dodgson1832 There is evidence that Charlie Miller is behind this attack on iTunes. Charlie Miller is glory seeking terrorist in the tech world, and has singled out Apple as his target of choice. Every time there was a security issue wit Windows Miller would claim one with Apple, even if it was not true. Even if he had to fabricate the facts to meet how demented view. He was recently removed as an iOS developer when he inserted an attack vector in the iOS app store.
0 Votes
+ -
RE: Apple fixes iTunes man-in-the-middle security hole
Dodgson1832 14th Nov
@Dodgson1832 I know who Charlie Miller is. Considering that his work has made Apple products considerably safer, I think that it is great that he keeps finding security holes. When security researchers discover security holes, it is not normally considered an attack.
0 Votes
+ -
RE: Apple fixes iTunes man-in-the-middle security hole
Rick_Kl 14th Nov
@Dodgson1832 when a so-called researcher indicates that he would ilk to put out alit cigarette in the users eye, that is the sign i a terrorist. Now add to that the so-called problem required third party drivers to be installed. This supposedly Apple security flaw also worked on all versions of Windows, yet Miller chose to single out Apple. Miller is not a researcher, but a narcissistic terrorist???.
  • Flagged
0 Votes
+ -
RE: Apple fixes iTunes man-in-the-middle security hole
ScorpioBlue 15th Nov
@Rick_Kl
I seriously doubt Charlie Miller is out to break the law. Cut the crap.
0 Votes
+ -
RE: Apple fixes iTunes man-in-the-middle security hole
Michael Alan Goff 14th Nov
@Rick_Kl

This has nothing to do with Windows.

Why is it that you have to attack an opposing product when your precious Apple has a flaw? Why is it so bad that he pointed it out? Would you rather all flaws get unreported, just for image?
0 Votes
+ -
RE: Apple fixes iTunes man-in-the-middle security hole
Rick_Kl 14th Nov
@Michael Alan Goff It is clear who is behind many of the recent attacks on Apple products.
0 Votes
+ -
RE: Apple fixes iTunes man-in-the-middle security hole
Michael Alan Goff 15th Nov
You didn't really respond to my post.

Why does it matter? Flaws are getting fixed, users are more secure than before. This isn't a bad thing. Patches are not a bad thing.
0 Votes
+ -
RE: Apple fixes iTunes man-in-the-middle security hole
MosaicTechnology 15th Nov
Between this and the new iPhone update, Apple is rolling out lots of new improvements to its existing products this week. Good to see the company is constantly working to improve its products and services. http://www.mosaictec.com

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix