ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Apple slaps another security band-aid on iTunes

By | October 11, 2011, 1:09pm PDT

Summary: Apple patches 79 gaping security holes in the iTunes for Windows software.

Apple has shipped iTunes 10.5 to fix mountains of security problems that expose Windows users to dangerous hacker attacks.

The security patch, available for Windows 7, Windows Vista and Windows XP SP2, fixes a total of 79 documented vulnerabilities.  The most serious of these flaws could allow remote code execution attacks via booby-trapped image or movie files.

The bulk of the vulnerabilities affect the open-source WebKit rendering engine that powers the iTunes Store and iTunes LP.

Details on the vulnerabilities can be found in this Apple security advisory.

iTunes 10.5 is being distributed via the Windows software update utility.  Alternatively, it can be downloaded directly from the iTunes web page.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Vulnerability, Apple Inc., Apple iTunes, iTunes 10.5, Microsoft Windows, Digital Music, Digital Media, Security, Operating Systems, Software, Personal Technology, Consumer Electronics, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

43
Comments
Add Your Opinion

Join the conversation!

Just In

dsfsdf
jywhy888 7th Mar
Stuffed Animals Audio Video Equipment http://www.chinawholesaletown.com/wholesale-Pure-Cotton-Compressed/ Kitchenware
Wholesale Clocks Wholesale T-Shirts http://www.chinawholesaletown.com/wholesale-Carabiner/ Calendar
Inflatable Products Wholesale Keychain http://www.chinawholesaletown.com/wholesale-Scarf/ iPod iPhone
Wholesale Gift Bags Voice Recorder http://www.chinawholesaletown.com/wholesale-Bracelet---Bangle/ Promotional Products
Wholesale Belt Wholesale Pen http://www.chinawholesaletown.com/wholesale-Lunch-Box/ Health Care Products
Solar Products Lady Beauty Care http://www.chinawholesaletown.com/wholesale-Mouse-Pad/ Mat
Wholesale Kitchenware Wholesale Tag http://www.chinawholesaletown.com/wholesale-First-Aid-Kit/ Cards
Computer Accessories Wholesale Ashtray http://www.chinawholesaletown.com/wholesale-Muslim-Products/ Silicone Products
Wholesale Cap Wholesale Frisbee http://www.chinawholesaletown.com/wholesale-Glass/ USB Products
Wholesale Watch Wholesale Poncho http://www.chinawholesaletown.com/wholesale-Lighter/ Cup
Wholesale Ruler Valentine Gifts http://www.chinawholesaletown.com/wholesale-Hair-Products/ Crystal Gifts
Safety Products Patient Care Products http://www.chinawholesaletown.com/wholesale-Money-Bank/ Sport Support Products
Gift Box Beauty Equipment http://www.chinawholesaletown.com/wholesale-Belt/ Tie
Safety Suppliers Wholesale Shoe http://www.chinawholesaletown.com/wholesale-Stress-Ball/ Magnifier
Pen Holder Wholesale Clothes Rack http://www.chinawholesaletown.com/wholesale-iPod---iPhone/ Flag
Wholesale Thermometer Poncho Raincoat http://www.chinawholesaletown.com/wholesale-Coaster/ Vocal Concert Products
Promotional Items Wholesale Swimming Products http://www.chinawholesaletown.com/wholesale-Clap-Hands/ Flash Gift
Mouse Pad Wholesale Thermometer http://www.chinawholesaletown.com/wholesale-World-Cup-Horn-Vuvuzela/ Home Appliances
Wholesale Cup Wholesale First Aid Kit http://www.chinawholesaletown.com/wholesale-Safety/ Bottle Opener
Voice Recorder Wholesale Kitchenware http://www.chinawholesaletown.com/wholesale-Mat/ Cleaner Products
Consumer Electronics Cleaner Products http://www.chinawholesaletown.com/wholesale-Sport-Support/ Bag
Wholesale Glove Recorder Pen http://www.chinawholesaletown.com/wholesale-Pedometer/ CD Holde
Wedding Favors Wholesale iPod iPhone http://www.chinawholesaletown.com/wholesale-Earphone/ T-Shirts
Wholesale Mug Wholesale Mat http://www.chinawholesaletown.com/wholesale-Shoes/ Toys
Wholesale Binoculars Wholesale Mirror http://www.chinawholesaletown.com/wholesale-Vase/ Promotional Gifts
Wholesale Calculator Wholesale Album http://www.chinawholesaletown.com/wholesale-Vocal-Concert-Products/ Shoe
Coin Bank Photo Frame http://www.chinawholesaletown.com/wholesale-Garden-Decorations/ Gift Box
Photo Frame Pet Supplies http://www.chinawholesaletown.com/wholesale-Hardware-Tools/ Compass
Wholesale Magnifier Gift Box http://www.chinawholesaletown.com/wholesale-Tape-Measure/ Golf Products
Wholesale Scissors Arts Crafts http://www.chinawholesaletown.com/wholesale-Reflective-Safety-Vest/ Safety Suppliers
Wholesale Pom Poms Lighting Products http://www.chinawholesaletown.com/wholesale-Magnifier/ Mp3
Industrial Supplies Wholesale Cap http://www.chinawholesaletown.com/wholesale-Voice-Recorder/ Business Gift
Wholesale Bookmark Safety Products http://www.chinawholesaletown.com/wholesale-Mirror/ Pen
Wholesale Tableware Vocal Concert Products http://www.chinawholesaletown.com/wholesale-Bracelet---Bangle/ Lighting Products
Wholesale Clothes Rack Wholesale Carabiner http://www.chinawholesaletown.com/wholesale-TelePhone/ Industrial Supplies
Sport Support Products Wholesale Towel http://www.chinawholesaletown.com/wholesale-Gift-Bags/ Stress Ball
Men Beauty Care Safety Suppliers http://www.chinawholesaletown.com/wholesale-Men-Beauty-Care/ Safety Products
View in thread
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
forrestgump2000@... Updated - 11th Oct
What are the criteria for a security hole to be "gaping" ?
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
PB_z 11th Oct
@forrestgump2000@... It needs to be mentioned in a ZDNet Security blog posting. "iTunes haunted by gaping holes; Apple slaps on megapatch bandaid"

Something like "iTunes 10.5 released; patches security holes" would never suffice.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
Snooki_smoosh_smoosh 11th Oct
@forrestgump2000@... any security hole reported on ZDNET is gaping. And how they come to it being a band-aid is beyond me, are they view the code to see if it is a band-aid or if it is fixing the problem. And this isn't just related to Apple and iTunes but also for any patch. Adobe seems to patch "Gaping holes" in flash every other week it seems.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
windozefreak 11th Oct
@forrestgump2000@...
I wonder too! A company notifies users that is an issue with its software and issues an update to fix the problem. Someone please explain why they should be condemed rather than applauded?? Aaiiee!!
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
MrElectrifyer 11th Oct
LOL @All of the Above grin, it's called " Yellow Journalism"
0 Votes
+ -
"Gaping" flaw
SenorAlejandro 12th Oct
@forrestgump2000@... A security hole is "gaping" if it is obvious enough that a normal level of QC ought to find it, OR if it remains unpatched for very long after detection. Whether or not these seventy-nine issues were as big a deal as they're being made out to be, I can't say.
0 Votes
+ -
dsfsdf
jywhy888 7th Mar
Stuffed Animals Audio Video Equipment http://www.chinawholesaletown.com/wholesale-Pure-Cotton-Compressed/ Kitchenware
Wholesale Clocks Wholesale T-Shirts http://www.chinawholesaletown.com/wholesale-Carabiner/ Calendar
Inflatable Products Wholesale Keychain http://www.chinawholesaletown.com/wholesale-Scarf/ iPod iPhone
Wholesale Gift Bags Voice Recorder http://www.chinawholesaletown.com/wholesale-Bracelet---Bangle/ Promotional Products
Wholesale Belt Wholesale Pen http://www.chinawholesaletown.com/wholesale-Lunch-Box/ Health Care Products
Solar Products Lady Beauty Care http://www.chinawholesaletown.com/wholesale-Mouse-Pad/ Mat
Wholesale Kitchenware Wholesale Tag http://www.chinawholesaletown.com/wholesale-First-Aid-Kit/ Cards
Computer Accessories Wholesale Ashtray http://www.chinawholesaletown.com/wholesale-Muslim-Products/ Silicone Products
Wholesale Cap Wholesale Frisbee http://www.chinawholesaletown.com/wholesale-Glass/ USB Products
Wholesale Watch Wholesale Poncho http://www.chinawholesaletown.com/wholesale-Lighter/ Cup
Wholesale Ruler Valentine Gifts http://www.chinawholesaletown.com/wholesale-Hair-Products/ Crystal Gifts
Safety Products Patient Care Products http://www.chinawholesaletown.com/wholesale-Money-Bank/ Sport Support Products
Gift Box Beauty Equipment http://www.chinawholesaletown.com/wholesale-Belt/ Tie
Safety Suppliers Wholesale Shoe http://www.chinawholesaletown.com/wholesale-Stress-Ball/ Magnifier
Pen Holder Wholesale Clothes Rack http://www.chinawholesaletown.com/wholesale-iPod---iPhone/ Flag
Wholesale Thermometer Poncho Raincoat http://www.chinawholesaletown.com/wholesale-Coaster/ Vocal Concert Products
Promotional Items Wholesale Swimming Products http://www.chinawholesaletown.com/wholesale-Clap-Hands/ Flash Gift
Mouse Pad Wholesale Thermometer http://www.chinawholesaletown.com/wholesale-World-Cup-Horn-Vuvuzela/ Home Appliances
Wholesale Cup Wholesale First Aid Kit http://www.chinawholesaletown.com/wholesale-Safety/ Bottle Opener
Voice Recorder Wholesale Kitchenware http://www.chinawholesaletown.com/wholesale-Mat/ Cleaner Products
Consumer Electronics Cleaner Products http://www.chinawholesaletown.com/wholesale-Sport-Support/ Bag
Wholesale Glove Recorder Pen http://www.chinawholesaletown.com/wholesale-Pedometer/ CD Holde
Wedding Favors Wholesale iPod iPhone http://www.chinawholesaletown.com/wholesale-Earphone/ T-Shirts
Wholesale Mug Wholesale Mat http://www.chinawholesaletown.com/wholesale-Shoes/ Toys
Wholesale Binoculars Wholesale Mirror http://www.chinawholesaletown.com/wholesale-Vase/ Promotional Gifts
Wholesale Calculator Wholesale Album http://www.chinawholesaletown.com/wholesale-Vocal-Concert-Products/ Shoe
Coin Bank Photo Frame http://www.chinawholesaletown.com/wholesale-Garden-Decorations/ Gift Box
Photo Frame Pet Supplies http://www.chinawholesaletown.com/wholesale-Hardware-Tools/ Compass
Wholesale Magnifier Gift Box http://www.chinawholesaletown.com/wholesale-Tape-Measure/ Golf Products
Wholesale Scissors Arts Crafts http://www.chinawholesaletown.com/wholesale-Reflective-Safety-Vest/ Safety Suppliers
Wholesale Pom Poms Lighting Products http://www.chinawholesaletown.com/wholesale-Magnifier/ Mp3
Industrial Supplies Wholesale Cap http://www.chinawholesaletown.com/wholesale-Voice-Recorder/ Business Gift
Wholesale Bookmark Safety Products http://www.chinawholesaletown.com/wholesale-Mirror/ Pen
Wholesale Tableware Vocal Concert Products http://www.chinawholesaletown.com/wholesale-Bracelet---Bangle/ Lighting Products
Wholesale Clothes Rack Wholesale Carabiner http://www.chinawholesaletown.com/wholesale-TelePhone/ Industrial Supplies
Sport Support Products Wholesale Towel http://www.chinawholesaletown.com/wholesale-Gift-Bags/ Stress Ball
Men Beauty Care Safety Suppliers http://www.chinawholesaletown.com/wholesale-Men-Beauty-Care/ Safety Products
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
Stix2002 11th Oct
Look what these guys do for a living ... write about nothing and try to make it sound worth reading.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
riveroad 11th Oct
@Stix2002 ... yet you read it all the way through to the end and even the comments... one can only wonder what you do for a living...
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
sip01 11th Oct
iTunes 10.5 also introduces iCloud (I suppose there's a separate article about that?).
0 Votes
+ -
Finally! Apple no longer has Safari checked by default.
ye 11th Oct
Or did this happen in another update and I just missed it?
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
MrElectrifyer 11th Oct
@ye LOL grin, seems like you missed it cause I never had safari checked by default during ANY update since early 2010 plain
0 Votes
+ -
While I can't say for certain when it stopped being checked by default I...
ye 12th Oct
@MrElectrifyer: ...can say I know it's been checked after early 2010. Maybe toddybottom is on to something.
0 Votes
+ -
Apple seems to turn it on and off at random
toddybottom 12th Oct
@ye
On my computer, it is on by default sometimes and off by default sometimes. I haven't figured out the pattern.

The only sure thing is to be vigilant and always check. I always choose to not install Safari. I don't want it on my system.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
thewhitedog 11th Oct
Agreed, there's a lot more to the iTunes update than security patches. And it seems the same security issues don't exist in the Mac version of iTunes, which suggests there is something about Windows that multiplies security problems. At a minimum, such problems are not the fault of third-party software developers alone. But, of course, it's too much to expect CNET to report the whole story. If only they were the sole "news" outlet to maintain such mediocre standards of journalism. Sadly, they are remarkable only for the fact that they are not remarkable.
0 Votes
+ -
They did. If you read the details you'll see...
ye 11th Oct
@thewhitedog: And it seems the same security issues don't exist in the Mac version of iTunes, which suggests there is something about Windows that multiplies security problems.

...statements along the following:

"For OS X Lion systems, this issue is addressed in OS X Lion v10.7.2. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006."

When will people wise up and understand there is nothing inherent in Windows which makes it any more susceptible to vulnerabilities?
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
ScorpioBlue 11th Oct
When will people wise up and understand there is nothing inherent in Windows which makes it any more susceptible to vulnerabilities?

When the other ones catch up and have millions of other exploits that Windows has.

We might all be old & dead by then. wink
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
MrElectrifyer 11th Oct
@ye Never gonna happen dude, as technology grows exponentialy, the growth of noobs follows along silly

Until we manage to develop some knowledge photocopying device, we won't be able to teach every noob out there the basics of man-made technology; " Nothing made by man is indestructable by man" plain
0 Votes
+ -
K olbe
ScorpioBlue 12th Oct
Start teaching...

lol...
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
Qbt Updated - 11th Oct
@thewhitedog

LOL, it's Windows' fault that iTunes has security holes. And magically, those same security holes disappear as soon as Apple patches iTunes.

Absolutely classic! Folks, you can't makes this stuff up.

No seriously, are there actually people out there that are that clueless? Apparently there are...
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
hopp64 11th Oct
@thewhitedog

And what fantasy world do you live in? They wrote it, it is their issue. I would love it if they dropped iTunes for Windows then I could uninstall that crap from my wife's laptop and tell her NO!!!, it is out of date and no longer supported. Let the whining commence.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
ScorpioBlue 11th Oct
@hopp64

Then give up the iPod or the iPhone. Go find a Zune instead.

That is...if you can find one... wink
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
andrewjg 11th Oct
@thewhitedog

"At a minimum, such problems are not the fault of third-party software developers alone"

It suggests nothing of the sort. The only thing it suggests is one or more of the following:

a) The engineers working on the Windows specific portions are not as capable as the Mac OS counterparts

b) Apple does to have the required focus on the Windows version

c) Apple does not have the security audit tools available for Windows that the do for Mac OS

d) Some other reason

Please remember that Mac OS is always the OS that gets hacked first in the Pwn2Own contest.
0 Votes
+ -
Apple is hacked first because the prize is the machine
baggins_z 12th Oct
you hack, and everyone wants that Apple laptop.
0 Votes
+ -
Keep believing that dream if it makes you feel better.
ye 12th Oct
@baggins_z: Apple is hacked first because the prize is the machine you hack, and everyone wants that Apple laptop.

Back to reality: The real reason OS X is hacked "first" is because the contestant who decided to hack OS X got to go first. There is no other reason. If the contestant who decided to hack Windows went first than Windows would have fallen first.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
Doctor Demento 12th Oct
@bagginsz

When you say that OS X gets hacked because the guy wants the Mac which is the prize for a successful hack, all you're REALLY saying is that if you make the incentive high enough, people will want to attack OS X, and it will be possible for them to do so.

Which actually proves the exact OPPOSITE of what you think it does.
0 Votes
+ -
Memo to Ryan Naraine
kenosha77a 11th Oct
Please increase your objective reporting while at the same time reducing your editorializing of the subject material.

Thank you.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
windozefreak 11th Oct
Again, a company notifies users that there is an issue with its software and provides an update to fix the issue. Someone please explain why we would condem them rather than applaude. Aaiiee!!
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
PMC-CON 11th Oct
The only adjective that Ryan knows is gaping.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
CobraA1 11th Oct
"iTunes 10.5 is being distributed via the Windows software update utility."

Actually, it's being pushed via Apple Software Update. I WISH Windows Update would support third party products - but other than drivers, no, they don't support third party products.

Also, reading the patch notes indicates this version adds all of the iCloud stuff. It's in preperation for iOS 5, which is coming Friday.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
bannedagain 12th Oct
@CobraA1

iOS 5 is coming tomorrow, the iPhone 4S is coming Friday.
0 Votes
+ -
Confirmed
dogbreath1 11th Oct
We already knew Windows was a mess.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
MrElectrifyer 11th Oct
@dogbreath1 Exactly! Making some changes to a third party software fixes the security flaws, and the OS is the one to blame; very wise of you plain
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
Alan Smithie 12th Oct
iTunes,

a good reason to avoid Apple altogether.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
Pete "athynz" Athens 12th Oct
@Alan Smithie And Adobe products as well if we are going by security holes in software.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
bannedagain 12th Oct
It also adds wireless syncing ability for the pending iOS 5 update...

...coincidence?

I think not.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
Pete "athynz" Athens 12th Oct
I'm going to ask the same question I ask on the "Windows Patch Tuesday" blogs - Have any of these vulnerabilities been exploited or were these caught and fixed by the manufacturer? Not that either scenario would invalidate the existence of the vulnerabilities but it would illustrate the difference between a company being proactive or reactive.
0 Votes
+ -
That wouldn't be my definition
toddybottom 12th Oct
@Pete "athynz" Athens
Proactive would be fixing the bug before it was released to the customers.

Reactive is fixing it after.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
Doctor Demento 12th Oct
@toddybottom

So, infallibility or bust?

That's not a particularly realistic standard.
0 Votes
+ -
That would be "prescient"
spdragoo@... 13th Oct
@toddybottom

For an OS with millions,if not billions, of code lines, designed to work with a multitude of configurations of 3rd-party hardware, being able to release 100% bug-free code would be "prescient", or perhaps "perfection"...something which no OS provider has managed yet.

"Proactive" is, when the bugs/exploits/vulnerabilities are detected, you fix them before the problem is announced/actually used.

"Reactive" is when you wait until *someone else* detects the bug & announces it before you address it, or you wait to fix it until malware/viruses show up that exploit it. Although there are degrees of "reactive" to consider -- i.e. a 3rd-party notices the exploit, but they notify you before someone else takes advantage of it; you still have to fix it, but there's that window (albeit however small) where you can patch it before someone else takes advantage of it.
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
zippytSD 12th Oct
Why would you run iTunes 10.5 on anything other than Lion??
0 Votes
+ -
All iPod users <> only Mac/iPhone/iPad users
spdragoo@... 13th Oct
@zippytSD

nt
0 Votes
+ -
RE: Apple slaps another security band-aid on iTunes
tadilat 12th Oct
Look what these guys do for a living ... write about nothing and try to make it sound worth reading. : ak??n dekorasyon

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix