Great Debate 11am ET/8am PT Apple, Congress face off over taxes: Cook testifying

Topic: Apple

Apple plugs 57 major security holes in iTunes

Summary: If you use Apple's iTunes software -- whether on Windows or Mac OS X -- it's important that you immediately apply the latest software update.

Ryan Naraine

By for Zero Day |

If you use Apple's iTunes software -- whether on Windows or Mac OS X -- it's important that you immediately apply the latest software update.

Apple has shipped iTuens 10.2 as a highly-critical patch to cover a whopping 57 security vulnerabilities, some serious enough to allow hackers to take complete control of a vulnerable machine.

According to an advisory from Apple, 50 of the 57 flaws were fixed in WebKit, the open-source rendering engine used within the multimedia software.

The vulnerabilities could be exploited to launch remote code execution attacks if a user simply opens an image file or surfs to a rigged Web site, Apple warned.follow Ryan Naraine on twitter

Most of the WebKit flaws were reported by Google's security team and TippingPoint's ZDI, a third-party broker of vulnerability information.

In addition to the WebKit issue, Apple also fixed the following:

  • ImageIO: libpng is updated to version 1.4.3 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. For Mac OS X v10.5 systems, this is addressed in Security Update 2010-007. Further information is available via the libpng website. (Windows 7, Vista, XP SP2 or later).
  • ImageIO: A heap buffer overflow issue existed in ImageIO's handling of JPEG images. Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • ImageIO: A buffer overflow existed in libTIFF's handling of JPEG encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • ImageIO: A buffer overflow existed in libTIFF's handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • libxml: A double free issue existed in libxml's handling of XPath expressions. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • libxml: A memory corruption issue existed in libxml's XPath handling. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).

The company called special attention to a man-in-the-middle attack scenario may lead to an unexpected application termination or arbitrary code execution while a target user is browsing the iTunes Store via iTunes.  This is caused by a vulnerability in WebKit.

iTunes 10.2 is being pushed out via the Mac OS X and Windows software update mechanisms.  It can also be downloaded directly from Apple's iTunes web site.

Topics: Apple, Microsoft, Operating Systems, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

58 comments
Log in or register to join the discussion

  • iTunes? Don't you mean Zune?

    because I heard that Apple doesn't make software with security vulnerabilities, so it must have been a miss-type
    Will Farrell
    Reply Vote

    • RE: Apple plugs 57 major security holes in iTunes

      @Will Farrell

      troll much?
      maskman01
      Reply Vote

      • Apparently...

        @maskman01
        ... Sarcasm eludes you. Doesn't it...
        Wolfie2K3
        Reply Vote

    • RE: Apple plugs 57 major security holes in iTunes

      @Will Farrell

      troll much?
      maskman01
      Reply Vote

    • RE: Apple plugs 57 major security holes in iTunes

      @Will Farrell

      You seem to be suffering from Apple derangement syndrome. Please consult your physician
      edomejn
      Reply Vote

    • RE: Apple plugs 57 major security holes in iTunes

      @Will Farrell
      Apple may make mistakes on occasion, the key thing is Apple comes back to fix them.
      Michael Mat
      Reply Vote

      • On occasion? This is 57 vulnerabilities in one application.

        @Michael Mat: <i>Apple may make mistakes on occasion, the key thing is Apple comes back to fix them.</i><br><br>You obviously missed the point of Will Farrell's post.
        ye
        Reply Vote

      • Please don't feed the trolls.

        NT
        rahbm
        Reply Vote

      • RE: Apple plugs 57 major security holes in iTunes

        @Michael Mat : Yup. Remember that Java bug in the OS X? I think it took them 18 months to fix. Better late than never. Eh? :-)
        Gis Bun
        Reply Vote

    • RE: Apple plugs 57 major security holes in iTunes

      @Will Farrell
      You heard something that was wrong. You have to work on your sourcing quality control and your discernment skills.
      DannyO_0x98
      Reply Vote

      • Please don't feed the trolls!

        @DannyO_0x98
        rahbm
        Reply Vote

    • You're attacked by the bastard children cupertino

      @Will Farrell, I'm with you.

      But be careful, there are thousands apple drones with the mentality of children experiencing their 'terrible twos'. They see nothing but the shiny objects of their desire.
      charles@...
      Reply Vote

      • Exceeded only by the MS trolls here

        Who apparently think they need to distract everyone from issues with MS software.

        As stated in the Bible, Matthew 7:5 "You hypocrite, first take the log out of your own eye, and then you will see clearly to take the speck out of your brother?s eye."
        rahbm
        Reply Vote

    • RE: Apple plugs 57 major security holes in iTunes

      @Will Farrell

      Yeah ignorant itards
      mikroland
      Reply Vote

  • RE: Apple plugs 57 major security holes in iTunes

    @Michael Mat: bwaaahhhhhhhh hahahahah! You Apple fanboys crack me up. Just because you think a product is "cool" means a company can do no wrong??? Boy have you drunk a lot of koolaid.

    Why not take a poll of the people whose iTuens accounts have been hacked as a result of Apple's carelessness with security? See how Apple has treated them.
    marianc
    Reply Vote

    • RE: Apple plugs 57 major security holes in iTunes

      @marianc Well, looks like Windows finally has some company in the security holes department. Must have felt really lonely there for a long time.

      Feel better?
      I12BPhil
      Reply Vote

      • Finally?

        @I12BPhil: [i]Well, looks like Windows finally has some company in the security holes department. Must have felt really lonely there for a long time.[/i]

        Apple has always been there. One could make the argument Apple leads.
        ye
        Reply Vote

      • RE: Apple plugs 57 major security holes in iTunes

        @I12BPhil : It's one thing for an OS to have a bunch of holes - but ONE product? 57 of them? Why did Apple wait so long. Surely they knew about them for longer than a month?

        Oh ya. Take any month of security updates for windows and I don't think they erxceeded 50 vulnerbilities fixed. Neither does Linux have that problem.
        Gis Bun
        Reply Vote

    • Fanboys, zealots, and trolls or all colours here!

      @marianc
      Yes, the Apple fanboys can be tiresome, as can the Linux cronies, but they are both far outranked by the bigots who carry on as if Microsoft is the saviour of the world and can do no wrong - even though <i>none</i> of its products is "cool".
      rahbm
      Reply Vote

  • This is a disgrace

    This is a disgrace. Even for Apple. iTunes suffers from so much bloatware that it will soon choke on it's own code.

    No defense for it, here.
    LTV10
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close