ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Critical iTunes flaw exposes Mac, Windows to hacker attacks

By | September 22, 2009, 7:09pm PDT

Summary: Apple has shipped iTunes 9.0.1to fix a critical security hole that puts Mac and Windows users at risk of computer takeover attacks.

Apple has shipped iTunes 9.0.1to fix a critical security hole that puts Mac and Windows users at risk of computer takeover attacks.

The vulnerability could be used by hackers to launch code execution attacks via booby-trapped “.pls” files, Apple warned in an advisory.

The skinny:

  • Impact:  Opening a maliciously crafted .pls file may lead to an unexpected application termination or arbitrary code execution
  • Description:  A buffer overflow exists in the handling of .pls files. Opening a maliciously crafted .pls file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

The update is available for Mac OS X v10.4.11 or later, Mac OS X Server v10.4.11 or later, Windows XP, Vista and Windows 7.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Hacker Attack, Apple Macintosh, Flaw, Arbitrary Code Execution, Apple iTunes, iTunes Flaw, Microsoft Windows, Apple Mac OS X, Apple Mac OS, Desktops, Operating Systems, Security, Software, Hardware, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

32
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Critical iTunes flaw exposes Mac, Windows to hacker attacks
birumut Updated - 2nd May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
So predictable
frgough 22nd Sep 2009
Headline for Apple:

"Critical iTunes flaw exposes Mac, Windows to hacker
attacks"

Then when you read the article, you find out that, oh, btw,
it's patched.

Headline for Sun:

"Sun patches 'critical' StarOffice/StarSuite flaw"

But, don't even suggest that our friendly blogger has an
agenda...
0 Votes
+ -
It Doesn't Really Matter
DannyO_0x98 22nd Sep 2009
The headline got my attention. I got Software Update a-percolating
and then came in to get details.

The majority of bugs/vulnerabilities are revealed via their just released
fixes, any way. It doesn't matter how critical to everyday computing
these things are, the detractors go into high offense mode that the
vendor could make such an egregious error and that any one would
run that vendor's software. Closely followed, of course, by the
supporters who point out the unlikelihood that a person who behaves
sensibly or who has plunked down their money at every upgrade
opportunity would be affected by the problem. Sun rise sun set.

So playlists. The .pls format for play lists are used with other software.
I gather the others got it right? It's been around for years: old problem
or did something change?

We won't be told. Software Update is done. Did not need a restart,
which is unusual for iTunes updates. Interesting. And by that I mean
I'll forget about it the next time I see a shiny object.

Alleged yellow journalism in the headlines is the least of our
problems.
0 Votes
+ -
Is my computer at risk from this?
NonZealot 22nd Sep 2009
I have a Zune and a Windows Mobile phone so I have not
installed iTunes. Is my computer still at risk from this
swiss cheese Apples software?
0 Votes
+ -
From this? No...
vulpine@... 23rd Sep 2009
But from the multiple thousands of trojans, worms and other
malware that specifically targets Windows machines? Yes.
0 Votes
+ -
Yes...
zkiwi 23rd Sep 2009
Because as you have come to believe, all things Apple are out to get you, and if they can take over the world. Watch out for any odd desires for owning turtleneck sweaters etc. It could mean you're "changing."
0 Votes
+ -
Not Just any old...
arminw 23rd Sep 2009
Turtleneck sweaters, but specifically and only black ones!
  • Flagged
0 Votes
+ -
RE: Risk
JakAttak 23rd Sep 2009
I have a Zune and a Windows Mobile phone so I have not
installed iTunes. Is my computer still at risk from this
swiss cheese Apples software?

Not at all. It's just at risk from the other thousands of vulnerabilities from
Windows, Office, Messenger and more.

It sucks that any software opens a PC up to attacks, but it unfortunately
happens all the time from every major developer.
0 Votes
+ -
To which he syncs with a Windows Box
Snooki_smoosh_smoosh 23rd Sep 2009
running on Apple Hardware.

You know denial is a terrible thing...
0 Votes
+ -
Absolutely!
Pete "athynz" Athens 23rd Sep 2009
BUT - only YOUR computer NZ... the rest of us are good to go. Apple just hates you... LOL
0 Votes
+ -
And before ALL the trolls go apesh!t...
vikingnyc@... 23rd Sep 2009
Or the "security by obscurity" crowd start chiming in their own unique brand of BS, remember there's a huge difference between a "vulnerability" and an "exploit".

Apple found a vulnerability - they patched it BEFORE - I'll say it again, BEFORE - any harm could be done. End of story. This has happened in the past, and it will no doubt happen again. Potential vulnerability is often the price of innovation.
0 Votes
+ -
Microsoft did the same with MS08-067 yet...
ye 23rd Sep 2009
Apple found a vulnerability - they patched it BEFORE - I'll say it again, BEFORE - any harm could be done.

...the trolls didn't accept this as a valid defense. And here it is, almost a year later, and we still see unpatched systems:

http://blogs.zdnet.com/security/?p=4388
0 Votes
+ -
Actually, that's not a directly valid comparison...
MichaelArgast 23rd Sep 2009
A better one is the one circulating now (the SMBv2 vulnerability on Vista and Server 2008) which Microsoft has seen exploit code for and patched proactively.

In the case of MS08-067, there was active (low volume) malware in the wild using it, Microsoft issued a patch out-of-cycle (outside of the usual patch Tuesday).

Months later, Conficker (and other malware) took advantage of this vulnerability where unpatched and caused a lot of havoc.

In that regards, the poster is right - patching is incredibly important, not enough people do it consistently enough, especially on the home PC side (where iTunes is run a lot).

Michael Argast, Security Analyst, Sophos
0 Votes
+ -
What were the successful expploits prior to the patch release?
ye 23rd Sep 2009
The security bulletin states there were attempts to exploit the vulnerability. But I haven't read of anything that was successful. Perhaps you know differently given your employer?
0 Votes
+ -
Kind of like when
Erroneous 23rd Sep 2009
Conficker came up after the fix was in. The trolls still come out in force for that one.
0 Votes
+ -
Especially since...
vulpine@... 23rd Sep 2009
... Conficker is still one of the biggest botnets out there.
0 Votes
+ -
Potential vulnerability is often the price of innovation?
The 'G-Man.' 24th Sep 2009
Bull - total Bull.

Potential vulnerability is often the price of slack codeing.
0 Votes
+ -
RE: Critical iTunes flaw exposes Mac, Windows to hacker attacks
the_anatole@... 23rd Sep 2009
What's a .pls file?
0 Votes
+ -
.pls
Eeem Updated - 23rd Sep 2009
http://en.wikipedia.org/ -> .pls

PLS is a computer file format that stores multimedia playlists.
It is a more expressive format than basic M3U, as it can store (cache)
information on the song title and length (this is supported in extended
M3U only).

With PLS version 2, playlists also include a PLS version declaration.

Microsoft Windows and its software does not automatically detect PLS
format and cannot run it. iTunes, Real player, Winamp, XMPlay, VLC
media player and Foobar play PLS files without any extra codecs.
Windows Media Player classic with K-Lite codec installed does work
with PLS format but still will not automatically detect it.
0 Votes
+ -
Is iTunes 8.2.1 vulnerable?
notlob 23rd Sep 2009
Apple's security advisory only says that iTunes 9 for Windows and Mac is affected. What about iTunes 8?
0 Votes
+ -
Did it say iTunes 8.2.1?
The 'G-Man.' 24th Sep 2009
Well then.
0 Votes
+ -
Not from this, your computers vulnerable to third-rateness
HollywoodDog 23rd Sep 2009
by virtue of them being from Metoosoft.
0 Votes
+ -
Ha! In the words of Peter Griffin...
mgp3 23rd Sep 2009
"Holy crip, it's a Crapple!"
0 Votes
+ -
Actually
Pete "athynz" Athens 23rd Sep 2009
the headline should read something like:

"Apple fixes the barn door PRIOR to the horse escaping"

But I guess something that paints Apple in a positive light is something that would get a blogger fired from ZDNet, yes?
0 Votes
+ -
Would this have worked in the case of Conficker?
Qbt Updated - 23rd Sep 2009
Because MS also "fixed the barn door PRIOR to the horse escaping", but apparently that didn't matter - to this day the fanboys STILL point out how "insecure" Windows is because people decided not to apply the patch.

So the conclusion is that your excuse in unacceptable.

Sorry, try to apologize for Apple again but this time use some other logic...
0 Votes
+ -
By Microsoft preventing updates to supposed pirated copies...
vulpine@... 23rd Sep 2009
... Microsoft guaranteed that worms attacking a specific vulnerability
would succeed.

In other words, Microsoft is working hand-in-hand, even if
involuntarily, with the malware creators.
0 Votes
+ -
So if the Conficker botnet consists of pirated copies of Windows...
Qbt Updated - 23rd Sep 2009
...then I am not sure how you can blame MS for that.

And does Apple endorse downloads to hackintoshes?

Do you expect to get any sort of support form any company if you stole their product?
0 Votes
+ -
Wait....
Hallowed are the Ori 23rd Sep 2009
... I seem to recall read somewhere that MS actually reversed course some time ago and started providing security updates even to those with pirated copies.

(Runs off to do a quick Google... done.)

Yeah, they did:

http://windowsteamblog.com/blogs/windowssecurity/archive/2009/04/27/who-gets-windows-security-updates.aspx

0 Votes
+ -
Wait, infected pirates count again?
NonZealot 23rd Sep 2009
Hmm, when the iWorks trojan was making its
round and infecting OS X users, we were all
told that pirates got what they deserved and
that infected pirates don't count when tallying
malware infections.

However, when it comes to Conficker, suddenly
infected pirates do count?

Cue the double standards...
0 Votes
+ -
Yes, Zealot, they do...
vulpine@... 24th Sep 2009
... especially when the victims are double victims--unknowing victims
of pirates and essentially-ignored victims of Microsoft's anti-piracy
policies.

Maybe Microsoft did change that policy, but they did so too late to
protect the innocent ones who thought they were getting legitimate
software. (The pirates themselves and the ones who knowingly
accepted pirated software deserve what they get... but why do we have
to put up with the fallout?)

Microsoft made too many mistakes in their anti-piracy policies, only
the least of which was assuming everyone was guilty until proven
innocent. Instead of blaming the user, they should have traced the
perpetrators. The RIAA and MPAA made the same mistakes. If people
are pirating software, music or movies, there's money to be made.
Follow the money, not those few who make nothing from their efforts.
Find the money, and you'll find the pirates. Simple as that.

Double standards? At least Apple makes it easy every time. You still
have the choice not to accept an update, but it's pretty much the
fools who want something for nothing that end up becoming the
victims. Microsoft makes it easier now, but for a while their 'stealth'
updates upset a lot of people.
0 Votes
+ -
How would you be sure of that, though?
mechBgon 23rd Sep 2009
For all you know, the bad guys could be using that vulnerability right now. I recall the case of the infamous WMF exploit, where it was retroactively estimated to have been in use for a couple months before being ID'ed for what it was.

In the bigger picture, software is going to have security issues, that's just The Way Things Are. I hope Apple is planning their own equivalent to Microsoft's SDL, in order to weed out systemic causes of bugs where possible, mitigate those that slip through, and keep learning from the results & refining that process. Every company needs to stay on top of the security game.
0 Votes
+ -
RE: Critical iTunes flaw exposes Mac, Windows to hacker attacks
wrenchmonkey 23rd Sep 2009
You might also start feeling the urge to "think different".

0 Votes
+ -
RE: Critical iTunes flaw exposes Mac, Windows to hacker attacks
birumut Updated - 2nd May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix