ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Apple plugs gaping iTunes hole, doesn't tell everyone

By | September 6, 2007, 9:20am PDT

Apple today shipped an iTunes software refresh to add support for all its shiny new toys but, unless you’re following security announcements closely, you’d never know that iTunes 7.4 contains a fix for a pretty nasty code execution vulnerability.

Here’s what Mac users see:

Apple plugs gaping iTunes hole, doesn’t tell anyone

No mention whatsoever of CVE-2007-3752, a buffer overflow vulnerability that puts both Mac and Windows users at risk of arbitrary code execution attacks.

Our own Apple bloggers completely missed the security component of this iTunes update.

To be fair, the company did issue a brief advisory with basic details of this patch but, unless you pay close attention to these things, you just might skip this update because there’s no prominent security warning from Apple.

Here’s Apple’s own explanation of the impact of this flaw, which was reported by David Thiel of iSEC Partners:

A buffer overflow exists in iTunes when processing album cover art. By enticing a user to open a maliciously crafted music file, an attacker may trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing proper bounds checking.

Even if you don’t have the new iPods and won’t be needing support, this is an iTunes update you absolutely should apply. The patch is being delivered via the Mac’s automatic software update utility.

Manual download locations: iTunes 7.4 for Mac and iTunes 7.4 for Windows.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security, Apple Macintosh, Apple Inc., Buffer-overflow, Apple iTunes, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
46
Comments
Add Your Opinion

Join the conversation!

Just In

Isn't that what Microsoft was doing in 2007 .
AdventTech67 13th Jan 2008
If anything , Microsoft isn't saying to much about it's products being buggy anymore .
Does anyone know why this is happening ?
View in thread
0 Votes
+ -
Typical Apple operating procedure.
xuniL_z 6th Sep 2007
No news here. Let the users be at risk so we can pretend our software is safe.

0 Votes
+ -
As oppose to Microsoft...
mrlinux 6th Sep 2007
Yeah we have critical failure 'X' but we are not going to fix it in the near future.
0 Votes
+ -
Wow, obsess much?
NonZealot 6th Sep 2007
This article is about gaping holes in Apple's software. It has nothing to do with Microsoft. Why don't you mention Goodyear's tire recall in every article that has nothing to do with Goodyear? Oh yeah, it is because you are obsessed with Microsoft.
0 Votes
+ -
Not near as much as you do
MarcB_z 6th Sep 2007
Ever have anything nice to say about anything? No because all you do is post anti-
Apple diatribes.

Talk about obsessions.
0 Votes
+ -
NonZealot, I have bookmarked your post,
Joel R 7th Sep 2007
and will remind you and everyone else of it at any time in the future if you ever, and I do mean ever, post anything negative about Apple again in any thread to an article that isn’t about Apple, on this or any other forum that both you and I participate in. Ever.

After all, you wouldn’t want to be a hypocrite, now, would you? Since you’re, you know, a non-zealot and all.…
0 Votes
+ -
That's the funniest thing..
msalzberg 8th Sep 2007
I've ever read here. He's doing it for the same reason you bring Apple into every
conversation.

Or do you think you actually sound like you're rational?
0 Votes
+ -
No just showing the other side of the fence
mrlinux 12th Sep 2007
NT
0 Votes
+ -
Let's pretend the threats are real.
mlindl 7th Sep 2007
"Let the users be at risk so we can pretend our software is safe."

go ahead, mate, get some malicious code on my computer without me knowing about it.

Security fixes aren't a response to something that has happened.

I ain't usin' Windows, there's no way you will get in. But you pretend you can.
0 Votes
+ -
Same here, mate.
xuniL_z 7th Sep 2007
I'm running XPSP2. go ahead, get some malicious code on my computer, period. Not w/o me knowing about it since you'll never accomplish it. I will know you *tried* and enjoy watching your attempt fail however.

You, on the other hand, will have some cleaning up to do.
0 Votes
+ -
Isn't that what Microsoft was doing in 2007 .
AdventTech67 13th Jan 2008
If anything , Microsoft isn't saying to much about it's products being buggy anymore .
Does anyone know why this is happening ?
0 Votes
+ -
To be fair, the company did issue a brief advisory with basic details of th
Non-Zealand 6th Sep 2007
so what was your "article about"?
0 Votes
+ -
Contributr
Where?
Ryan Naraine 6th Sep 2007
Where did you find that advisory?

_r
0 Votes
+ -
Erm...
zkiwi 6th Sep 2007
Unless you've just added it to your blog, you referenced the advisory didn't you? If you didn't I am probably suffering from too much, or too little caffeine :P
0 Votes
+ -
I only quoted your own article...
Non-Zealand 6th Sep 2007
do you really think the average user has he time to read all this? No, just the selected
few are interested.
0 Votes
+ -
where???
richvball44 8th Sep 2007
to whit;
To be fair, the company did issue a brief advisory with basic details of this patch but, unless you pay close attention to these things, you just might skip this update because there?s no prominent security warning from Apple.

someone named Ryan WROTE that himself!!!
0 Votes
+ -
Why help the hackers??
Prime Detailer 6th Sep 2007
Ya know - Not everyone downloads a fix immediately, so why in the world would you
want to let some "Apple or Microsoft Hacker Wannabe" know that there's a chance to
still do some damage. I personally think that hackers should be hung by there
thumbs or mouse fingers for taking all the fun out of computing for the rest of us.
When you write an article like this, you're only helping them. If I was Apple or
Microsoft, I wouldn't tell anyone about any potential "holes".
0 Votes
+ -
Contributr
Because...
Ryan Naraine 6th Sep 2007
The average iTunes user might just skip this critical security patch, thinking it's a trivial "features" update.

_r
0 Votes
+ -
Good one.
frgough 7th Sep 2007
Now, why would someone skip a free upgrade to a free program that gives them more fun stuff in said program?

Me thinks the lady doth protest too much.
0 Votes
+ -
Equal Treatment
dwerk 7th Sep 2007
When other vendors try to pull this type of stunt they get thrown under the bus for it...as they should. Microsoft has done this before and received the negative press they deserve for not notifying their customers of a gaping security hole. Apple deserves the same amount of negative press for trying to sneak this by everyone. Nowhere on the update screen does it mention that this update includes a security fix for a vulnerability in their software. Just because the Apple brand name brings to mind images of bunnies, flowers, and dancing iPods doesn't mean they're immune to equal treatment.
0 Votes
+ -
The game of hyperbole
frgough 7th Sep 2007
"may cause an application crash or allow arbitrary execution of code" is a gaping hole, these days, I see. So, what do we call the ani flaw? Ultra mega gaping?
0 Votes
+ -
The game of reading
dwerk 7th Sep 2007
Since you replied to my message in particluar and not this article in general I'm guessing this is directed at me. If you read my post you will see that I didn't refer to this as a gaping hole. Some would say it's better to keep your hole closed rather than open it only to put your foot in it.
0 Votes
+ -
Hyperbole
frgough 10th Sep 2007
The word sneak was in your post. Different word, same intent. Sneak implies malicious behavior.

The original point stands; to wit: over the top hyperbole.
0 Votes
+ -
Really?
PghNative 7th Sep 2007
" the Apple brand name brings to mind images of bunnies, flowers, and dancing
iPods"
I think Photoshop, Cinema 4D, Amorphium, After Effects, Final Cut all playing
nice together.
0 Votes
+ -
Plays together nicely on a PC too.
laura.b 10th Sep 2007
You can ask my fiance...he runs them all on a Mac at the moment and on my PC. He prefers the PC. He's getting one on the next upgrade.

Wait, I take that back. He doesn't use Amorphium. He uses Poser, or some incarnation thereof...he keeps up with this crap and keeps it in his own special folder on my PC desktop for his use, so I won't accidentally open it up and "screw up something" like I'm an idiot and can't find the little red x-box...honestly...but I digress. He may have that or not. I'm not sure. But all Adobe products run just beautifully on a PC, as do Maxon products. At least, they run beautifully on mine...they don't cause any problems, even when he leaves them open they don't slow down the other applications..considering I have a laptop that's not particularly high-end that's surprising to even me! lol

Truthfully, the first thing I think of when I think of Apple is that crappy baby music in the commercials. I figure in some flowers and bunnies equate with nursery music nicely. Thank god the newest iMac commercials have some soul in the background tune. They needed that desperately.
0 Votes
+ -
I skipped it
mlindl 7th Sep 2007
And I'm still not worried about somebody getting a malicious album artwork something on my system.
0 Votes
+ -
when
richvball44 8th Sep 2007
was the last time ANY OS vendor did a "trivial update?" i really don't think people are as stupid as you think!
0 Votes
+ -
Secunia
notlob 8th Sep 2007
I only found out that the latest iTunes update included a critical security fix because I ran the online Secunia scan last night and it said my iTunes was vulnerable. I had dismissed iTunes earlier request to update earlier because I couldn't be bothered at the time to update. I had no idea it included a security fix till Secunia told me.
0 Votes
+ -
RE: Apple plugs gaping iTunes hole, doesn't tell everyone
jbelkin 6th Sep 2007
Who's to tell? The theoretical hole that affects ZERO people on this Earth - maybe in a parallel universe, itunes is totally infected? Are you from Earth 2.0? Because on this EArth, it's just a theoretical one that is now even more theoretical as you say it's been closed so the suicide watch is off, right?

What's with all the bad karma? What did you do on Earth 2.0 that you have to cry over invisible spilled milk on this planet - chill, dude.
0 Votes
+ -
Because he needs a new car
Kid Icarus-21097050858087920245213802267493 7th Sep 2007
new house, new boat, etc., etc...
0 Votes
+ -
Very smart indeed. And Win2000 Users?
GiorgioM 7th Sep 2007
So every Classic Ipod, Itouch user will be forced to install XcraP or SVista?

Updates are no more available for Quicktime on Win2000 too...
0 Votes
+ -
RE: Apple plugs gaping iTunes hole, doesn't tell everyone
alicat876 7th Sep 2007
I got the auto download on my PC last night - I let it do it's thing but I didn't even know that there was a security problem. Oh well...
0 Votes
+ -
"To be fair, "
mlindl 7th Sep 2007
Why start now?
0 Votes
+ -
Can Macs be compromised?
butler360 7th Sep 2007
I thought that if you were running Firefox on OSX, then you're OK.
0 Votes
+ -
Recent browers studies
laura.b 10th Sep 2007
indicate that Firefox may be less secure than IE, depending on the versions. However, I'm not sure that this applies to the most recent versions of either. In any case, however, if you want browser security, go with Opera. 10x less vulnerabilities easily. Not to mention it's FAST and has cool little goodies like mouse gestures and speed dial. OMG I thought our internet had gotten better. I'm serious. It's THAT much faster than Firefox. As soon as I'm finished with school (the online platform doesn't support Opera yet) I'll never use IE again. And I'm a big MS fan. What does that tell you?

And it's free, and takes about 15 minutes to both download and install. WORTH IT.

Food for thought. Have a nice day.
0 Votes
+ -
Firefox on OSX (and Linux, for that matter)
nix_hed 10th Sep 2007
is a lot more secure than Firefox on Windows, simply because the MSIE backdoor isn't
there. That's still the biggest security issue with Firefox on any platform.

Having said that, I like the mix of Opera on Mac, Windows, and Wii, but I'll keep
Firefox on Linux.
0 Votes
+ -
So what?
bonchi74@... 8th Sep 2007
we bought 3 compaq 6710b laptops with Windows Fista and guess what? 2 weeks in use and I call up HP after several blue screens on 2 of the 5 laptops... they tell me they've had a ton of Fista complaints. No software is perfect right but Fista is a JOKE. its a desperate move to keep investors happy
0 Votes
+ -
the only gaping hole is the author's
bonchi74@... 8th Sep 2007
I've had windows, linux and now OS X. there is no other reason to stay in windows in the personal sense if it isn't a life dedicated to Microsoft. I don't settle for anything less than OS X or linux. its just not common sense. Open 60 windows in Fista and you will have an unresponsing machine. Do that in any nix based system and it still works! why settle for anything less than that just for practicing to troubleshoot an ailing Fista machine is crazy
0 Votes
+ -
60 windows of what? (Mention of iTunes in here as well!)
Ben_E 8th Sep 2007
60 windows of what? I can do 60 explorers fine. I can open 20 or 30 playlist windows in iTunes before it music and video playback stutters. I can have multiple music and video playbacks all occuring at the same time with no problems. In fact the only crashes I've ahd recently came from iTunes 7.4 when it arrived - certain video podcasts caused the NVDDKMLM error in my nVidia driver. Didn't blue screen though - it just went unresponsive for 30 seconds and then restarted the video driver. iTunes 7.4.1 appears to have fixed this.

It's very funny that a lot of the people claiming instability of the favoured OS of hate (Mac or Windows or Linux) always seem to have ultra unstable PCs. Mine is just fine (apart from the aforementioned error). Maybe you should all learn to work your computers? Or how to build them properly in the first place? In the past ten years of working with Windows PCs I have had about 5 blue screens. Seriously. Two of those I remember were to do with a USB ADSL modem driver that wasn't updated for XP after two (!) years.

Either I'm God-like with computers (very probably - I'm fantastically good looking and modest as well) or there's a lot of people out there who have really badly put together machines...
0 Votes
+ -
THANK YOU
laura.b 10th Sep 2007
It's about time. I have said this exact thing before. I just don't understand people's problem with Windows. I have been using Windows PCs for 18 years, never once have I had a virus, spyware, malware, BSOD, ANYTHING. And I'm not an expert in any fashion. I am strictly a user, albeit I'd call myself above-average, not a builder or a pro. No one that I know has had a problem with Windows. I have witnessed one BSOD, but it was PEBKAC and it was a very simple reboot correct.

I really wonder how much of this stuff is true. I've done rough math on the subject. I know a lot of people, all of them use Windows. To simplify the math, I'm probably familiar with 100 Windows users. 1 BSOD. 1% error rate. That seems very small compared with the unadulterated bitching you hear from PC "converts" on these sites. Frankly, I think that most of them are either incapable of using a computer or are totally full of crap. But that's just me. I could be wrong. Or my corner of the world could be either extremely lucky or really good. Who knows?
0 Votes
+ -
True?
filker0 10th Sep 2007
I'll have to say that, by my experience, most of it is true. So, I'd say, you're lucky. Either that or you're infected and don't know it.

I can be considered an expert.

I'd written a much longer reply, but none of this really has much to do with the iTunes thing. On Windows, the vulnerability that Apple fixed would potentially allow a malicious cover art image to run arbitrary code in the user's context, which more likely than not has admin privs. On OSX, it allows the malicious cover art image (it would have to be a different one) to execute code in the user's context, which is almost certainly not root.
0 Votes
+ -
Let's compare
frabjous 10th Sep 2007
It's hard to know if your 100 contacts are typical users, or even if they are
truthful about Windows problems.

One more measureable way to compare maintenance differences in the two
OSs is to check the size of the support team in companies with significant
installations of either or both. In my personal experience, in a multi-
platform company, the PC/Windows support ratio was over 8 times the Mac
support ratio (techs to users) and the trend was widening. While most users
just did mundane corporate stuff on their desktops, the Mac users tended
to do more challenging work, like very high-end graphics and
presentations. In talking to customer and suppliers over time, I found
similar comparisons across the country. YMMV.
0 Votes
+ -
Mundane corporate stuff vs single task
NonZealot 11th Sep 2007
While most users just did mundane corporate stuff on their desktops, the Mac users tended to do more challenging work, like very high-end graphics and presentations.

What I've found is that the PC is used for everything under the sun while the Mac typically has 1 application installed on it and that is the only application used. You dismiss the corporate stuff as "mundane" which it might be but it is also typically extremely varied work requiring dozens, if not hundreds of applications, some third party, many built in house, each requiring support, upgrades, sometimes conflicting with each other, etc. etc. etc. It is a lot easier to support a computer that has 1 shrink wrapped program installed on it than a computer that has dozens of sometimes amateurishly written applications installed on it. To believe otherwise is to betray yourself as an Apple zealot.
0 Votes
+ -
Doesn't this drama never end?
Solid Jedi Knight 8th Sep 2007
People really must be drinking tons of that hateorade, because the venom being spewed out about both OS-X and Vista is absolutely ridiculous. I have two systems on Vista and have had ZERO issues with either system. I find both system speedy, responsive, and very occassional problem with iTunes or AVG are just a minute annoyance. Just restart the program and boom its back up and running. You guys act like Vista runs worse than Windows Millenium Edition.

If your system is that unresponsive and fails to the degrees that people are talking about, then perhaps you guys aren't as talented with PC's as you claim. Perhaps some of you aren't updating, running anti-virus, running anti-spyware/rootkit software, or your hardware is several years due for an upgrade. I have had ZERO blue screens of death and no catastrophic failure of any Vista OS. If anything, XP is the old, creeky, patched upon patched OS that should be thrown into the recycle bin and forgotten about.

I'm not saying that Vista is anywhere near perfect. I really do hate the media/networking issue. I think it could do a better job of task management and utilizing both cores on multi-core systems. Pesonally, I hate not beeing able to see the drive status monitor on the disk defrag application. I really liked that part of the old disk defrag. The UAC is no different that what OS-X does. It needs better memory management. Windows Mail should be integrated to use Hotmail without having to download some additional software.

I really do not think Vista is as bad as everyone says. Even local computer guys here in Dallas, have not seen these huge failures and super slowdowns people claim. I think people in here are suffering from a case of OS hyperbole and need to put the hateorade down. You people act like you get absolutely nothing done with your system. Lets get back to reality here. Now those of you who have identified a real issue, then you got my sympathies. The rest of you, just quit your whining. You sound as bad as John Dvorak and Jim Louderback.
0 Votes
+ -
Precisely my point... (on and off topic post)
Ben_E 8th Sep 2007
...although you made it better. There's a disproportionate amount of noise from a relatively vocal minority on this site. Just look at the people who crop up in every single discussion. It's crazy.

Back on topic, my iTunes 7.4.1 did exhibit one piece of strange behaviour just not. I have a 4 month old 30Gb iPod video (in black fact fans) and upon the first connection since the upgrade, it first of all decided it was an iPod Classic (potentially understandable mistake), then when I went through the motions, ejected the iPod, unhooked it and then stuck it back in its dock, iTunes decided it was an iPod Touch (huh? what? huh?). Since then I haven't been able to reproduce the error. If I can I'll get a photo of me, my iPod and the screen to show you how iTunes can save you roughly ?200 by renaming your iPod to a newer model! Thanks Mr Jobs!

(Unfortunately, since then iTunes has correctly identified the iPod)
0 Votes
+ -
RE: Apple plugs gaping iTunes hole, doesn't tell everyone
DannyO_0x98 10th Sep 2007
That's unfortunate. I've been seeing chatter about how
these updates trash home-grown ringtones and so
people may choose their ring-tones over the updates if
that is all the update seems to be doing. Every company
should identify, if not the explicit problem being
addressed, the security nature of an update so we have
all the information and can make our choices.
0 Votes
+ -
RE: Apple plugs gaping iTunes hole, doesn't tell everyone
Timpraetor 10th Sep 2007

an attacker may trigger the overflow which may lead to an unexpected



This article *may* have credence or it *may* lead to an explosion of "see? I told you the Mac was vulnerable" comments. Or, it *may* not.

Oh, and I *may* be typing this with my cynical mode in high gear - or I *may* not be.

Don't tell us about *may*, tell us about *WILL*. That's where we should be worrying.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix