Apple plugs 57 major security holes in iTunes
If you use Apple's iTunes software -- whether on Windows or Mac OS X -- it's important that you immediately apply the latest software update.
Apple has shipped iTuens 10.2 as a highly-critical patch to cover a whopping 57 security vulnerabilities, some serious enough to allow hackers to take complete control of a vulnerable machine.
According to an advisory from Apple, 50 of the 57 flaws were fixed in WebKit, the open-source rendering engine used within the multimedia software.
The vulnerabilities could be exploited to launch remote code execution attacks if a user simply opens an image file or surfs to a rigged Web site, Apple warned.
Most of the WebKit flaws were reported by Google's security team and TippingPoint's ZDI, a third-party broker of vulnerability information.
In addition to the WebKit issue, Apple also fixed the following:
- ImageIO: libpng is updated to version 1.4.3 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. For Mac OS X v10.5 systems, this is addressed in Security Update 2010-007. Further information is available via the libpng website. (Windows 7, Vista, XP SP2 or later).
- ImageIO: A heap buffer overflow issue existed in ImageIO's handling of JPEG images. Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
- ImageIO: A buffer overflow existed in libTIFF's handling of JPEG encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
- ImageIO: A buffer overflow existed in libTIFF's handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
- libxml: A double free issue existed in libxml's handling of XPath expressions. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
- libxml: A memory corruption issue existed in libxml's XPath handling. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
The company called special attention to a man-in-the-middle attack scenario may lead to an unexpected application termination or arbitrary code execution while a target user is browsing the iTunes Store via iTunes. This is caused by a vulnerability in WebKit.
iTunes 10.2 is being pushed out via the Mac OS X and Windows software update mechanisms. It can also be downloaded directly from Apple's iTunes web site.