X
Business
Home Business Companies Apple

Apple plugs 57 major security holes in iTunes

If you use Apple's iTunes software -- whether on Windows or Mac OS X -- it's important that you immediately apply the latest software update.
Written by Ryan Naraine, Contributor

itunessmicon.png
If you use Apple's iTunes software -- whether on Windows or Mac OS X -- it's important that you immediately apply the latest software update.

Apple has shipped iTuens 10.2 as a highly-critical patch to cover a whopping 57 security vulnerabilities, some serious enough to allow hackers to take complete control of a vulnerable machine.

According to an advisory from Apple, 50 of the 57 flaws were fixed in WebKit, the open-source rendering engine used within the multimedia software.

The vulnerabilities could be exploited to launch remote code execution attacks if a user simply opens an image file or surfs to a rigged Web site, Apple warned.

Most of the WebKit flaws were reported by Google's security team and TippingPoint's ZDI, a third-party broker of vulnerability information.

In addition to the WebKit issue, Apple also fixed the following:

  • ImageIO: libpng is updated to version 1.4.3 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. For Mac OS X v10.5 systems, this is addressed in Security Update 2010-007. Further information is available via the libpng website. (Windows 7, Vista, XP SP2 or later).
  • ImageIO: A heap buffer overflow issue existed in ImageIO's handling of JPEG images. Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • ImageIO: A buffer overflow existed in libTIFF's handling of JPEG encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • ImageIO: A buffer overflow existed in libTIFF's handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • libxml: A double free issue existed in libxml's handling of XPath expressions. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • libxml: A memory corruption issue existed in libxml's XPath handling. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).

The company called special attention to a man-in-the-middle attack scenario may lead to an unexpected application termination or arbitrary code execution while a target user is browsing the iTunes Store via iTunes.  This is caused by a vulnerability in WebKit.

iTunes 10.2 is being pushed out via the Mac OS X and Windows software update mechanisms.  It can also be downloaded directly from Apple's iTunes web site.

Editorial standards
Show Comments

Related

logi-ai-prompt-builder-mx-setup

Logitech mouse and keyboard users are getting a free AI upgrade

Linus Torvalds and Dirk Hohndel, Open Source Summit North America 2024

Linus Torvalds takes on evil developers, hardware errors and 'hilarious' AI hype

Placeholder product image alt text

The best AI image generators to try right now