ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Apple plugs 57 major security holes in iTunes

By | March 3, 2011, 8:11am PST

Summary: If you use Apple’s iTunes software — whether on Windows or Mac OS X — it’s important that you immediately apply the latest software update.

If you use Apple’s iTunes software — whether on Windows or Mac OS X — it’s important that you immediately apply the latest software update.

Apple has shipped iTuens 10.2 as a highly-critical patch to cover a whopping 57 security vulnerabilities, some serious enough to allow hackers to take complete control of a vulnerable machine.

According to an advisory from Apple, 50 of the 57 flaws were fixed in WebKit, the open-source rendering engine used within the multimedia software.

The vulnerabilities could be exploited to launch remote code execution attacks if a user simply opens an image file or surfs to a rigged Web site, Apple warned.follow Ryan Naraine on twitter

Most of the WebKit flaws were reported by Google’s security team and TippingPoint’s ZDI, a third-party broker of vulnerability information.

In addition to the WebKit issue, Apple also fixed the following:

  • ImageIO: libpng is updated to version 1.4.3 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. For Mac OS X v10.5 systems, this is addressed in Security Update 2010-007. Further information is available via the libpng website. (Windows 7, Vista, XP SP2 or later).
  • ImageIO: A heap buffer overflow issue existed in ImageIO’s handling of JPEG images. Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • ImageIO: A buffer overflow existed in libTIFF’s handling of JPEG encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • ImageIO: A buffer overflow existed in libTIFF’s handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • libxml: A double free issue existed in libxml’s handling of XPath expressions. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • libxml: A memory corruption issue existed in libxml’s XPath handling. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).

The company called special attention to a man-in-the-middle attack scenario may lead to an unexpected
application termination or arbitrary code execution while a target user is browsing the iTunes Store via iTunes.  This is caused by a vulnerability in WebKit.

iTunes 10.2 is being pushed out via the Mac OS X and Windows software update mechanisms.  It can also be downloaded directly from Apple’s iTunes web site.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Service Pack 2, Microsoft Windows Vista, Apple Inc., Arbitrary Code Execution, TIFF, Apple iTunes, ImageIO, Application Termination, iTunes 10.2, Microsoft Windows XP Service Pack 2, Microsoft Windows 7, Microsoft Windows, Microsoft Windows XP, Microsoft Windows Vista (Longhorn), Operating Systems, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
58
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Apple plugs 57 major security holes in iTunes
bvonr@... 7th Mar 2011
@athynz I had it not that long ago but decided that since I have a Windows 7 Tablet I don't need an iPad I also don't need iTunes. And yes I thought it was buggy and bloated. I really feel sorry for people with an iDevice that has to use iTunes to install ANYTHING on your iPad and some iDevices.
View in thread
0 Votes
+ -
iTunes? Don't you mean Zune?
Will Farrell 3rd Mar 2011
because I heard that Apple doesn't make software with security vulnerabilities, so it must have been a miss-type
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
maskman01 3rd Mar 2011
@Will Farrell

troll much?
0 Votes
+ -
Apparently...
Wolfie2K3 4th Mar 2011
@maskman01
... Sarcasm eludes you. Doesn't it...
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
maskman01 3rd Mar 2011
@Will Farrell

troll much?
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
edomejn 3rd Mar 2011
@Will Farrell

You seem to be suffering from Apple derangement syndrome. Please consult your physician
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
Michael Mat 3rd Mar 2011
@Will Farrell
Apple may make mistakes on occasion, the key thing is Apple comes back to fix them.
0 Votes
+ -
On occasion? This is 57 vulnerabilities in one application.
ye Updated - 3rd Mar 2011
@Michael Mat: Apple may make mistakes on occasion, the key thing is Apple comes back to fix them.

You obviously missed the point of Will Farrell's post.
0 Votes
+ -
Please don't feed the trolls.
rahbm 3rd Mar 2011
NT
  • Flagged
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
Gis Bun 4th Mar 2011
@Michael Mat : Yup. Remember that Java bug in the OS X? I think it took them 18 months to fix. Better late than never. Eh? happy
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
DannyO_0x98 3rd Mar 2011
@Will Farrell
You heard something that was wrong. You have to work on your sourcing quality control and your discernment skills.
0 Votes
+ -
Please don't feed the trolls!
rahbm 3rd Mar 2011
@DannyO_0x98
  • Flagged
0 Votes
+ -
You're attacked by the bastard children cupertino
charles@... 3rd Mar 2011
@Will Farrell, I'm with you.

But be careful, there are thousands apple drones with the mentality of children experiencing their 'terrible twos'. They see nothing but the shiny objects of their desire.
0 Votes
+ -
Exceeded only by the MS trolls here
rahbm 3rd Mar 2011
Who apparently think they need to distract everyone from issues with MS software.

As stated in the Bible, Matthew 7:5 "You hypocrite, first take the log out of your own eye, and then you will see clearly to take the speck out of your brother?s eye."
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
mikroland 4th Mar 2011
@Will Farrell

Yeah ignorant itards
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
marianc 3rd Mar 2011
@Michael Mat: bwaaahhhhhhhh hahahahah! You Apple fanboys crack me up. Just because you think a product is "cool" means a company can do no wrong??? Boy have you drunk a lot of koolaid.

Why not take a poll of the people whose iTuens accounts have been hacked as a result of Apple's carelessness with security? See how Apple has treated them.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
I12BPhil 3rd Mar 2011
@marianc Well, looks like Windows finally has some company in the security holes department. Must have felt really lonely there for a long time.

Feel better?
0 Votes
+ -
Finally?
ye 3rd Mar 2011
@I12BPhil: Well, looks like Windows finally has some company in the security holes department. Must have felt really lonely there for a long time.

Apple has always been there. One could make the argument Apple leads.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
Gis Bun 4th Mar 2011
@I12BPhil : It's one thing for an OS to have a bunch of holes - but ONE product? 57 of them? Why did Apple wait so long. Surely they knew about them for longer than a month?

Oh ya. Take any month of security updates for windows and I don't think they erxceeded 50 vulnerbilities fixed. Neither does Linux have that problem.
0 Votes
+ -
Fanboys, zealots, and trolls or all colours here!
rahbm 5th Mar 2011
@marianc
Yes, the Apple fanboys can be tiresome, as can the Linux cronies, but they are both far outranked by the bigots who carry on as if Microsoft is the saviour of the world and can do no wrong - even though none of its products is "cool".
0 Votes
+ -
This is a disgrace
LTV10 3rd Mar 2011
This is a disgrace. Even for Apple. iTunes suffers from so much bloatware that it will soon choke on it's own code.

No defense for it, here.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
mikroland 4th Mar 2011
@LTV10

LOL
0 Votes
+ -
Time for an iTunes Rewrite
dazzlingd 3rd Mar 2011
iTunes is full of bloat on both Windows and Mac. It's a major resource hog on both platforms.

It's also like managing your media with Excel.

If Apple re-wrote it then the world would be a much happier place.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
Pete "athynz" Athens 3rd Mar 2011
I wondered how many ABAers would come out here to blast Apple for plugging the oles in iTunes... and some of the usual suspect are here. Question is how many of you trolls actually USE iTunes? Oh wait NONE! "oh it's bloated" "it runs so slow on my PC" "it's made by Apple"... yeah yeah yeah.

I run iTunes on my 6 year old Dell XPS running Windows 7 and I have had maybe 1 issue the entire time I've had iTunes on my computer... it is not slow, not bloated, and just works for me.

Instead of all the naysaying why don't you trolls give it a whirl? Wait, no because you are scared you might actually like something made by Apple.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
Rick_K 3rd Mar 2011
@athynz
Wait, iTunes is such a bloated pig of an application. it takes up a whole 180 MB of hard drive space. Granted when you include the media (apps, movies, songs) the size goes up quite considerably. (I?m seeing the itunes folder contains around 15 GB). I wonder how much space Windows Media Player takes up? I also wonder how much space the iTunes app takes up on a Windows computer?
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
dazzlingd 3rd Mar 2011
@Rick_K and athynz
When iTunes is maxing out both processor cores in my 4 Gig RAM, Core 2 Duo iMac running 10.6.6, by syncing my daughter's iPod Touch, I think that's a bit of a clue about it being poorly written software. Especially when nothing else is running. (It's either that or iPhoto, although I forgive iPhoto as it's actually quite useful when editing photo's in a hurry.)

@Rick_K - computers have things called processors and memory, not just storage. Try looking in the Utilities folder. Or click the little Apple icon and select "About my Mac."

I'm bored of using Force Quit. I'm so glad that right click is supported by Apple, even though I normally have to do it more than once.

I won't go too much into how bad it is in Windows (always the #1 CPU process or using 300M of RAM) Can you spell "Memory Leak?" iTunes is just banned on the family's PCs.

Just call me an ABA'er, even though I use BOTH platforms (plus a couple of Ubuntu and Mandriva boxes) and I call it as I see it...
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
lantzn Updated - 3rd Mar 2011
@Rick_K You got me wondering, on my Mac I just did a rt-click on the iTunes application to Show Package Content. The bulk of the weight was in a folder called Resouces and each language has its own folder and there are dozens of languages. English was 5.7MB. I wonder if there is a langauge "stripper" for iTunes. That would trim it down considerably.

I just dragged all the non-english out and it seems to be working fine. It's now 57MB.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
audidiablo 3rd Mar 2011
@athynz

It may work for you but I do live in Cupertino and get to see all the other Apple loons and guess what? They hate iTunes as well and all say the same. I know people who work for Apple and some high up... All the same. Maybe during a refresh they may be able to speed up the code to match OSX speeds. Also just because someone doesn't like something doesn't by default mean they hate Apple nor their products. I used iTunes for about 10 minutes but aside of it being slow and bulky I also didn't like the built in Dictatorship from Apple and wiping a friends device. I did a quick search and found SharePod does all the same at a minimal size and all the freedom. Maybe slow to us is fast to you until you finally use something fast wink
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
rmark@... 3rd Mar 2011
@athynz To me it has nothing to do with whether iTunes is bloated, slow, or anythign else. It has to do with the fact that the Windows version of iTunes is so completely bug ridden and has been for so many years that it makes me think that Apple my want it that way to help erode MS's market share.

My computers don't have iTunes (home or work) and guess what, I haven't had a malware in years. Maybe there is a corrolation there, maybe there is not. But, it would be nice to know what applications if installed have shown a segnificant increase in malware. My money would be that it shows iTunes is one of the leaders.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
Pete "athynz" Athens 3rd Mar 2011
@rmark@... My computers don't have iTunes (home or work) and guess what, I haven't had a malware in years. Maybe there is a corrolation there, maybe there is not. But, it would be nice to know what applications if installed have shown a segnificant increase in malware. My money would be that it shows iTunes is one of the leaders.

Based on my personal experience I would say that iTunes is not a malware culprit as I do not have any malware on any of my computers at home and all of them run iTunes as we all have iPhones and use iTunes to sync them. And iTunes does run slow on one computer - a Dell Dimension 110 running Windows XP with a single core processor and 512MB ram. The rest of the computers (2 laptops and my XPS) are all dual core and run Windows 7. NONE have malware. At work I manage 5 computers running Windows 7 (a couple of them have iTunes on them) and it does not run slow nor do they have any malware.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
nix_hed 3rd Mar 2011
@athynz Personally, I think people are running something else on their systems that makes iTunes a processor hog. Even when I'm ripping a CD into ALAC and copying several GiB of video files at the same time, my C2D hackintosh never sees iTunes break 20%. Now, if I'm using iTunes to re-encode video (bad idea and it happens when you sync HD content to various iPod models), the processor gets pegged. But that's why smart people use programs like Handbrake to re-encode their video to lower resolutions in the first place, and not Quicktime.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
trust2112@... 4th Mar 2011
@athynz I do not use, itunes, quicktime or safari. I don't need to bash Apple, their fans shoot themselves every time they bash anything Windows or MS related. You reap what you sow.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
bvonr@... 7th Mar 2011
@athynz I had it not that long ago but decided that since I have a Windows 7 Tablet I don't need an iPad I also don't need iTunes. And yes I thought it was buggy and bloated. I really feel sorry for people with an iDevice that has to use iTunes to install ANYTHING on your iPad and some iDevices.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
rbgaynor 3rd Mar 2011
"The vulnerabilities could be exploited to launch remote code execution attacks if a user simply opens an image file or surfs to a rigged Web site"

And how exactly does one surf to a rigged web site in iTunes? These vulnerabilities, while significant for Webkit, are not that significant within the walled garden of iTunes.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
jakeZ2 3rd Mar 2011
Is this because apple is full of lazy developers. Those who live in glass houses...
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
danny@... 3rd Mar 2011
Wonderful. Apple already eats 25% of my day(night) and now I have to download a new release on each computer so I can use their "legal ransomware"?
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
lantzn 3rd Mar 2011
Apple could do a rewrite now that they know what works and how to do it. iTunes came from the purchase of SoundJam in 2000.
http://en.wikipedia.org/wiki/ITunes#History
Just like Snow Leopard cleaned OSX house maybe it's time to do the same with iTunes.
0 Votes
+ -
You can only band-aid 12 year old crap for so long
search & destroy 3rd Mar 2011
Time to write a new program, Apple.

From the ground up.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
rmark@... 3rd Mar 2011
iTunes is the worst piece of unsecure crap ware EVER created! Only the complete collection of poorly coded ActiveX controls comes close to this disgraceful product from a company that doesn't get security at all!
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
rbgaynor 3rd Mar 2011
@rmark@... can you name any actual infections that have resulted from iTunes?
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
alsobannedfromzdnet 3rd Mar 2011
@rmark@...

Have you updated a Samsung Galaxy S using Kies, or a SonyEricsson X10 using PC companion?

Ever used Nokia suite (now Ovi), LG whatever it is, Motorola's software, RIM Blackberry desktop?

Believe you me, there's worse device syncing and updating software out there, a lot worse.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
Tsiskin 3rd Mar 2011
In reading the fix list, it seems to me that most of the fixes are in OpenSource library code (libtiff, libxml, webkit). Any programs that use these libraries probably need to be updated.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
alsobannedfromzdnet Updated - 3rd Mar 2011
I thought this update was to get ready for the iPad2 and the iOS 4.3 update.

So Apple took the opportunity to patch a few things as well, like they always do, with every update.

And as usual ZDnet focusses on the patches, like they always do.

So why don't you fill us in on some of the new functionality?
0 Votes
+ -
Looney Tunes
bervick@... Updated - 3rd Mar 2011
Here's the remarkable thing. It's strength (at least according to Apple devotees) may also be its ACHILLES heel . You HAVE to use iTunes with Apple. So if there is a vulnerability (now or later) in iTunes, you could get hosed that way inspite of the walled garden. With other non-closed systems, you get hit if you do something stupid.

This way, you could prob get hit because you had no choice but to use iTunes.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
alsobannedfromzdnet 3rd Mar 2011
@bervick@...

It's a good thing Apple plugs them BEFORE they have EVER been exploited.

Besides this is a major update to iTunes to prepare for the iPad 2 launch and the iOS update in eight days time.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
sdghjt 3rd Mar 2011
http://in2s.us/1z8
http://in2s.us/1z8
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
sdghjt 3rd Mar 2011
http://p.gs/962x2
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
sdghjt 3rd Mar 2011
http://in2s.us/1z8
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
bgonetoo 3rd Mar 2011
When it comes to software, nothing is 100% secure. The sooner people embrace this idea the happier you will all feel.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
WAB6 3rd Mar 2011
I love to hear about Apple's security vulnerabilities. I hope that a large number of fanbois got properly spanked for their insipid belief that Apple software is bulletproof.
0 Votes
+ -
RE: Apple plugs 57 major security holes in iTunes
Stuart.Elsey@... 4th Mar 2011
Why oh why do people think an apple product has no bugs. Try the original iPAD software. If MS released something with that many bugs OMG , But apple, OOOhhh no, people were too taken with the iCandy

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix