Apple plugs gaping iTunes hole, doesn't tell everyone

Apple plugs gaping iTunes hole, doesn't tell everyone

Summary: Apple today shipped an iTunes software refresh to add support for all the shiny new toys but, unless you're following security announcements closely, you'd never know that iTunes 7.4 contains a fix for a pretty nasty code execution vulnerability.

SHARE:
TOPICS: Security, Apple, Hardware
46

Apple today shipped an iTunes software refresh to add support for all its shiny new toys but, unless you're following security announcements closely, you'd never know that iTunes 7.4 contains a fix for a pretty nasty code execution vulnerability.

Here's what Mac users see:

Apple plugs gaping iTunes hole, doesnÂ’t tell anyone

No mention whatsoever of CVE-2007-3752, a buffer overflow vulnerability that puts both Mac and Windows users at risk of arbitrary code execution attacks.

Our own Apple bloggers completely missed the security component of this iTunes update.

To be fair, the company did issue a brief advisory with basic details of this patch but, unless you pay close attention to these things, you just might skip this update because there's no prominent security warning from Apple.

Here's Apple's own explanation of the impact of this flaw, which was reported by David Thiel of iSEC Partners:

A buffer overflow exists in iTunes when processing album cover art. By enticing a user to open a maliciously crafted music file, an attacker may trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing proper bounds checking.

Even if you don't have the new iPods and won't be needing support, this is an iTunes update you absolutely should apply. The patch is being delivered via the Mac's automatic software update utility.

Manual download locations: iTunes 7.4 for Mac and iTunes 7.4 for Windows.

Topics: Security, Apple, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • Typical Apple operating procedure.

    No news here. Let the users be at risk so we can pretend our software is safe.
    <br>
    xuniL_z
    • As oppose to Microsoft...

      Yeah we have critical failure 'X' but we are not going to fix it in the near future.
      mrlinux
      • Wow, obsess much?

        This article is about gaping holes in Apple's software. It has nothing to do with Microsoft. Why don't you mention Goodyear's tire recall in every article that has nothing to do with Goodyear? Oh yeah, it is because you are obsessed with Microsoft.
        NonZealot
        • Not near as much as you do

          Ever have anything nice to say about anything? No because all you do is post anti-
          Apple diatribes.

          Talk about obsessions.
          MarcB_z
        • NonZealot, I have bookmarked your post,

          and will remind you and everyone else of it at any time in the future if you [i]ever[/i], and I do mean [b]ever[/b], post anything negative about Apple again in any thread to an article that isn&rsquo;t about Apple, on this or any other forum that both you and I participate in. Ever.

          After all, you wouldn&rsquo;t want to be a [i]hypocrite[/i], now, would you? Since you&rsquo;re, you know, a non-zealot and all.&hellip;
          Joel R
        • That's the funniest thing..

          I've ever read here. He's doing it for the same reason you bring Apple into every
          conversation.

          Or do you think you actually sound like you're rational?
          msalzberg
        • No just showing the other side of the fence

          NT
          mrlinux
    • Let's pretend the threats are real.

      "Let the users be at risk so we can pretend our software is safe."

      go ahead, mate, get some malicious code on my computer without me knowing about it.

      Security fixes aren't a response to something that has happened.

      I ain't usin' Windows, there's no way you will get in. But you pretend you can.
      mlindl
      • Same here, mate.

        I'm running XPSP2. go ahead, get some malicious code on my computer, period. Not w/o me knowing about it since you'll never accomplish it. I will know you *tried* and enjoy watching your attempt fail however. <br>
        You, on the other hand, will have some cleaning up to do.
        xuniL_z
    • Isn't that what Microsoft was doing in 2007 .

      If anything , Microsoft isn't saying to much about it's products being buggy anymore .
      Does anyone know why this is happening ?
      AdventTech67
  • To be fair, the company did issue a brief advisory with basic details of th

    so what was your "article about"?
    Non-Zealand
    • Where?

      Where did you find that advisory?

      _r
      Ryan Naraine
      • Erm...

        Unless you've just added it to your blog, you referenced the advisory didn't you? If you didn't I am probably suffering from too much, or too little caffeine :P
        zkiwi
      • I only quoted your own article...

        do you really think the average user has he time to read all this? No, just the selected
        few are interested.
        Non-Zealand
      • where???

        to whit;
        To be fair, the company did issue a brief advisory with basic details of this patch but, unless you pay close attention to these things, you just might skip this update because there?s no prominent security warning from Apple.

        someone named Ryan WROTE that himself!!!
        richvball44
  • Why help the hackers??

    Ya know - Not everyone downloads a fix immediately, so why in the world would you
    want to let some "Apple or Microsoft Hacker Wannabe" know that there's a chance to
    still do some damage. I personally think that hackers should be hung by there
    thumbs or mouse fingers for taking all the fun out of computing for the rest of us.
    When you write an article like this, you're only helping them. If I was Apple or
    Microsoft, I wouldn't tell anyone about any potential "holes".
    Prime Detailer
    • Because...

      The average iTunes user might just skip this critical security patch, thinking it's a trivial "features" update.

      _r
      Ryan Naraine
      • Good one.

        Now, why would someone skip a free upgrade to a free program that gives them more fun stuff in said program?

        Me thinks the lady doth protest too much.
        frgough
        • Equal Treatment

          When other vendors try to pull this type of stunt they get thrown under the bus for it...as they should. Microsoft has done this before and received the negative press they deserve for not notifying their customers of a gaping security hole. Apple deserves the same amount of negative press for trying to sneak this by everyone. Nowhere on the update screen does it mention that this update includes a security fix for a vulnerability in their software. Just because the Apple brand name brings to mind images of bunnies, flowers, and dancing iPods doesn't mean they're immune to equal treatment.
          dwerk
          • The game of hyperbole

            "may cause an application crash or allow arbitrary execution of code" is a gaping hole, these days, I see. So, what do we call the ani flaw? Ultra mega gaping?
            frgough