ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev

WebKit security flaws haunt Apple's iTunes

By | June 17, 2010, 7:53am PDT

Summary: The vulnerabilities could be exploited to launch remote code execution attacks if a user simply opens an image file or surfs to a rigged Web site.

Apple has shipped a critical security patch for its iTunes media player to fix several gaping security holes that expose Windows users to hacker attacks.

The vulnerabilities could be exploited to launch remote code execution attacks if a user simply opens an image file or surfs to a rigged Web site. The update applies to Windows 7, Windows Vista and Windows XP machines.

In all, the new iTunes 9.2 fixes 40 documented vulnerabilities, most affecting the WebKit rendering engine.   The WebKit vulnerabilities are the same that affected Apple’s Safari browser.

Here are the details on the iTunes vulnerabilities:follow Ryan Naraine on twitter

  • ColorSync (CVE-2009-1726) — A heap buffer overflow exists in the handling of images with an embedded ColorSync profile. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of ColorSync profiles.  This issue affects Windows 7, Vista, XP SP2 or later.
  • ImageIO (CVE-2010-1411) — Multiple integer overflows in the handling of TIFF files may result in a heap buffer overflow. Opening a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution. The issues are addressed through improved bounds checking.  Affects Windows 7, Vista, XP SP2 or later.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

54
Comments

Join the conversation!

Just In

RE: WebKit security flaws haunt Apple's iTunes
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
0 Votes
+ -
Shoddy Apple programming strikes again!
0 Votes
+ -
@ericesque
You know... It's pretty hard to make anything that works right on Windows, and if Apple can't do it, likely nobody can.
0 Votes
+ -
@BenInBlack : ACTUALLY ITUNES IS BY FAR, BY FAR THE WORST APPLICATION EVER, EVER WRITTEN FOR WINDOWS (WHEN RANKED BY SECURITY FLAWS)!!! APPLE WANTS SECURITY FLAWS IN WINDOWS AND I AM CERTAIN THAT THEY KNOW A LOT MORE EXIST IN ITUNES!
  • Flagged
0 Votes
+ -
@rmark@... And if you want iTumes on your computer, then you are asking for hackers and malware to have your way with your data and any personal information. ACTIVEX as a technology due to poor developer testing is the second most unsecure. Also, Apples is the worst at how long it takes them to fix security issues with its software.
@BenInBlack Apple's inabilities are it's own.
0 Votes
+ -
O RLY...?
Wolfie2K3 18th Jun 2010
@BenInBlack
I've got plenty of software on my Windows machines that works right. And NONE of it has an Apple logo.

Maybe the whole point of Apple's Windows based software efforts is designed to lure you into buying a Mac. After all, iTunes, Quicktime and Safari all run better in their native environment. In other words, Apple's programmers make the Windows based software suck on purpose. "Oh dear, your system got PWNED? Sorry to hear that. Get a Mac - it's safe."

Gotta wonder exactly how many of these vulnerabilities exist on the OSX versions...
Thanks very much! happy chanel bags
Apple should have written a different rendering engine for iTunes, it should not embed Safari into iTunes. iTunes has 90 percent marketshare and this is Apple's attempt to ensure that we don't use anything but Safari. That is anti-competitive. I should be able to remove Safari from iTunes and have it run just fine.

Oh, wait, that is only the case when it happens to IE and Windows. Right.

Cue the double standards...
0 Votes
+ -
@NonZealot
Oh please.
First of all, why should Apple not reuse code? Seems like a great idea to me.
Second, they did not embed "Safari" into iTunes - they use the WebKit. WebKit is a separate open-source project. Safari is Apple's closed product that also happens to use WebKit.
No double standards here, NZ. See ya.
0 Votes
+ -
Yes, there is a HUGE double standard
NonZealot 17th Jun 2010
@rossdav@...
First of all, why should Apple not reuse code?

Why shouldn't MS reuse code? If they have a great HTML rendering engine, why not reuse it throughout Windows?

Cue the double standards...

Second, they did not embed "Safari" into iTunes - they use the WebKit.

Likewise, MS never embedded IE into Windows, they reused Trident, the rendering engine.

Cue the double standards...
@rossdav@... Steve was right about cross platform programs. Ballmer should ban iTunes from Windows due to it's overall crappiness and save us all from Apple's piss poor programming.
0 Votes
+ -
@rtk
Its called Cross-platform development tools, not cross-platform programs. Your facts are mixed.

& no body is forcing you to install iTunes on Windows
0 Votes
+ -
@rossdav@... don't feed the troll.
0 Votes
+ -
@Jim888@...

But, but... Oh dang - you're right - I'm feeding the trolls... Sorry!

But just one more thing! happy
Actually I was one of possibly the few that agreed that Microsoft should darn well be able to embed a browser in their OS if they wanted to! Heck ChromeOS is going to basically be a browser/OS.
What I objected to was that MS using their monopoly power to warp web standards so that only MS's browser *worked*. That is essentially what the European Union was getting at - I think they just went about it the wrong way (but possibly the only way available).
0 Votes
+ -
@NaderBelaid...
Er.. Ok... So if I go out and buy a shiny new Apple iPhone, exactly HOW am I supposed to activate the bloody thing without having iTunes installed? Or for that matter, if I have an iPod, how do I get my media files onto it without iTunes?

You're kinda stuck with the POS if you wanna use their devices.
0 Votes
+ -
@NonZealot
Here you are again! showing how ignorant you are. iTunes built on Safari!!??? Why you are commenting on something clearly you have no idea about? Just like when you said that Mac OS X is built on PDF.
iTunes is built on Webkit, Safari is not Webkit, its built on Webkit.
& your comparing an Application like an iTunes with an OS like Windows??!!
Seriously you are amusing me. When i saw the Article i knew that i'll find you commenting something funny.
Gosh i like the success of Apple for one reason, to enjoy Its affect on you & reading your hilarious comments
0 Votes
+ -
Links please!!!
NonZealot 17th Jun 2010
@NaderBelaid
iTunes built on Safari!!???

Quote me or apologize for lying.

iTunes is built on Webkit, Safari is not Webkit, its built on Webkit

Yes, that was to trap all you double standards people who said IE was embedded into Windows. Windows used Trident. IE could always be removed.

your comparing an Application like an iTunes with an OS like Windows??!!

Yes. You got a problem with that?
0 Votes
+ -
@NonZealot
Please! by all means! Explain to me how is Safari embedded to iTunes.
Saying that Safari is embedded with iTunes, to me is like saying that iTunes is built on Safari or the otherwise
Now don't forget that it was you who claimed that Safari is embedded with iTunes so the responsibility of proof lies on you, So Links please!!!
You clearly don't know whats the different between an OS and an Application don't you?
Yet again are mixing between the both. Windows don't use Trident. Its IE thats built on Trident
& IE wasn't removable till MS was forced by court to make IE removable. & Guess what! its still not removable, MS made to allow the user to hide it but not completely uninstall it.

& Yes! I do have a problem with you comparing an application with an OS like Windows or any other OS. They are not the same.
Compare Apples with Apples not with Orange

Maan! your Apple's hate is really so fun
0 Votes
+ -
OS-X is built on PDF! lol
i2fun@... 19th Jun 2010
@NaderBelaid Read it here from WWDC 2003 where Apple blew junks touting it's slower PowerPC chipped computers as faster than PC's. In the end, they were only faster on some things. Plus there was no real way to test the results in a comparison, because Windows did not run on PowerPC and they were testing against Intel chips without Hyper Threading and not directly against AMD 64bit procs with Hyper Transport! ....OS-X was as yet, not running on x86 platforms either!

http://arstechnica.com/wankerdesk/3q02/wwdc-622.html

So this isn't NonZealot speaking lies, here it is in print for your own glossy eyeballs to read! .....and weep! wink
@NonZealot Let's start with the fact that Safari is NOT embedded or tied to iTunes; though I will accept that the embedded browser does use Safari's SDK, they are still completely separate entities. iTunes does NOT have 90% marketshare since obviously you don't need iTunes if you don't have an i-Device. Since only about 70% of people use an i-Device, that means the number is significantly lower. This also means that Apple is NOT doing anything to force people to use Safari if they don't want to, unlike Microsoft's old tactics of going out of their way to ensure no other browser worked correctly in Windows and went so far as to make IE an integral part of the OS--something Apple hasn't come close to even now. I'm not saying Microsoft is still doing this, but you can still see allegations where Microsoft is trying to make its software the de-facto and ISO standard in world-wide computing.
0 Votes
+ -
@vulpine@... Many people use iTunes for other things than using iDevices. I use it for podcasts on Windows. Lousy application but unfortunately that is the best place for me to get what I want.
0 Votes
+ -
NonZealot is a Misnomer! Love it!!
i2fun@... 18th Jun 2010
@NonZealot Love reading your posts, they're always targeted at Apple's Zealot'd fans! haha... But they deserve every last once of it.

So I think you should change your name to "AntiZealot". Then you could have even more fun with them calling you the AntiChrist!!! .....because they believe Steve Jobs is the 2nd coming of God the iWiz! shocked

Notice that this ZDNet story does what Apple and every Apple iFan does when something goes wrong; "BLAME IT ON SOMEBODY OR SOMETHING ELSE"!

What everyone fails to realize is that this is a life long habit for Apple. Remember when everything fell apart, when Steve stood behind his last iWiz of Odd Control Curtains proclaiming IBM PowerPC chips were the Uber KIND (like in pot) of High Performance drug Power, Mightier and Faster than Intel?

Remember what happen after that WWDC Magical Demonstration, when his iWiz of Odd Curtain fell and the numbers exposed him as a FRAUD! lol.....

Who's fault was THAT?!? ....not Steve's or Apple's.... It was IBM's! wink
0 Votes
+ -
@i2fun@... I think maybe you should study up on your history; what you're talking about is the old 'clock wars,' which eventually proved that clock speed isn't everything. In all honesty, the PPC chip operated faster by performing a function on every tic of the clock, not every other one. This meant that even when the PPC chip's clock 'stopped' at 1Ghz, it still worked just as fast as a PC running a 2Ghz 'Pentium.' And they didn't blame IBM for the failure to progress farther, but Motorola, who had taken over production of the chip and chose not to continue research. The fact that Microsoft then chose to use the PPC chip itself in XBoxes proves the chip's capability and the supposed larger market offered by the Xbox finally encouraged Motorola to resume development--but IBM is still not involved.

If you ask me, NZ needs to take the 'non' out of his username; his zealotry is more than obvious to anyone by the fact that he can't say anything positive about Apple, no matter how hard he tries. He and others are definite anti-Apple zealots, working hard to make Apple look bad, which only intrigues more people into looking at Apple's products and choosing to buy them. Why else would Apple's installed base have risen to near 20% in only two years and Apple's new product concepts break all previous records in sales?
@vulpine Yes I know and that's why Apple was able to take it's Velocity Engine to Intel with them. But my point was that it was Apple's chicanery (lies and deception) in comparing itself on incomparable hardware that exposed Steve's lies then. When Windows could not be run on IBM's PowerPC chips. That they lied about it being them that designed the Velocity Engine, when it was designed Freescale. Motorola's Freescale engineers designed it under AIM. Apple only put money into it!

If you read over the transcript of that 2003 WWDC, Jobs took InFomercial Marketing to new heights of deception by design. By trying to prove that slower PowerPC chips were faster at everything than Intel x86's faster proc'd PC's. At the time they really weren't. Nor are they still with Intel also having Hyper Threading and IBM clocking to over 6gHz!

Back to my point; if.... it's really WebKit's (Open Source Project off KHTML) fault, then why isn't Opera Browser and Chrome affected by these same security issues on Windows machines? Chrome btw is the most secure browser on the web. It's the only browser that didn't fall at PWN2OWN this year. While Safari took the first dive to death. So it can't be Webkit's fault!!!
-------------------------------------------------------
Now here's another point on Apple's blaming AT&T for their present problems (like when they blamed IBM for their change to Intel); Under Apple's contract with them, there's a hush clause that basically says that AT&T must keep their mouth shut and grin and bear Apple's humiliation for them!

Why? Because Apple is the first manufacturer allowed to keep all profits of their iPhones sold by AT&T (where sales are subcontracted as if to Walmart or any other outlet) .... And are the first one allowed to run it's own SERVER FARMS for handling those transactions. Along with their own Garden Walled environment. Apple is only subcontracting their customer's wireless service from AT&T for them. So basically the server programs and account software is all Apple's.

Meaning this whole security debacle is Apple's software failure. NOT AT&T's account servicing and service. I can run another brand phone, bought from AT&T, running on their own OPEN servers without any problems whatsoever as proof!

So it will be a cold day in hell that Verizon under it's newly formed affiliation with WAC (40 wireless service providers):
http://www.fastcompany.com/1637428/cellphone-networks-gang-up-to-wrest-smartphone-control-from-apple-and-google

....to ever have an iPhone/iPad running on it's NOW OPEN NETWORK! ...remember that AT&T was also Garden Walled and Verizon killed their Garden Walled Network in 2008. Apple wants to sell you their whole enchilada. Gas producing proprietary AOL HELL Garden Walled Network and all. That is ultimately doomed to failure!

Don't look now, but after taking Apple's Server Security failures on the chin, no way in hell.... is AT&T going to resign with Apple under these present contract terms and conditions either!!! wink
0 Votes
+ -
But why does it affect only windows?
OS Reload Updated - 17th Jun 2010
Shouldn't it affect OS X as well?

Maybe the way OS X's security model is designed prevents such an attack. OS X is Unix after all, based on Open BSD, so its core is very robust. True, the eye-candy GUI that Apple has slapped on top of it is vulnerable but the core is very robust.
0 Votes
+ -
Another, more likely possibility
NonZealot 17th Jun 2010
@OS Reload
Apple is starting to write in vulnerabilities into the Windows versions of its applications. I wouldn't put it past them.
0 Votes
+ -
@NonZealot

So they can fix them at a later date?

Why would they do that?
0 Votes
+ -
"robust"
ericesque 17th Jun 2010
@OS Reload
I like that you can regurgitate terms like "robust core", but what I'd really love is to see you try to explain what that is supposed to mean. But the truth is you haven't the slightest clue, isn't it?
@ericesque: I like that you can regurgitate terms like "robust core", but what I'd really love is to see you try to explain what that is supposed to mean.

Not specifically from him but many others like him who have made similar claims.
@OS Reload
Seems to me Charlie Miller's latest pwnage had to do with the Mac visiting a malicious website of his own creation... And if I recall correctly, he had full access to the OS... i.e. ROOT access.

DOH!
0 Votes
+ -
Another BS headline
jgpeters 17th Jun 2010
I am finally coming to realize that the worst trolls on ZDNet are actually the ZDNet employees (no offense to NZ who is in class all by himself). So 9.2 PATCHES flaws. How does that make vulnerabilities "haunt" iTunes? I guess they get paid by the hits they get to their blogs, so it's not important that it be accurate, just that it makes people click.
0 Votes
+ -
you are right
banned from zdnet 17th Jun 2010
@jgpeters
but yet we fall for it. maybe we should just start to ignore the drivel.
@jgpeters You do realize that a patch that fixes flaws conclusively proves that there was a flaw. Agreed?

If so, vulnerabilities haunt iTunes. If not, you're too deep in the kool-aid to save.
0 Votes
+ -
how about this headline
banned from zdnet 17th Jun 2010
@rtk
iTunes had some flaws, but now it is fixed.

like it?
0 Votes
+ -
@rtk I fully agree that a patch implies a flaw that needed repair.

Will you agree that the following ZDNet Zero Day headlines should be changed?

"Patch Tuesday heads-up: 10 bulletins, 34 flaws (IE, Windows affected)" SHOULD READ: "Security flaws haunt Microsoft's Windows" or "Security flaws haunt Microsoft's Internet Explorer"

"Adobe plugs 32 security holes in 'critical' Flash Player patch" SHOULD READ "Security flaws haunt Adobe's Flash Player"

"Adobe zaps critical Shockwave vulnerabilities" SHOULD READ "Security flaws haunt Adobe's Shockwave"

"Adobe PDF silent updater, critical patch coming next Tuesday" SHOULD READ "Security flaws haunt Adobe's PDF reader"

"Java update plugs 27 critical security holes" SHOULD READ "Security flaws haunt Sun's Java"

"Mozilla Firefox first to patch Pwn2Own vulnerability" SHOULD READ "Security flaws haunt Mozilla's Firefox"

Shall I continue, or are you too deep in the kool-aid to save?
0 Votes
+ -
I mean, WTF?

It's on iPhone 4, and it has the same processor as the iPad.

Why does it take until the fall to put an OS on a device that only has a different-sized screen?

Is that an indication of how bad Apple is at writing their own OS? They can't put in resolution independence even in the 4th version of the OS?

If that's an indication of their coding skills, then it's no wonder their software is so full of security flaws.
0 Votes
+ -
Try typing "security flaws haunt" into the search box before commenting.
0 Votes
+ -
@msalzburg re: @rsalzburg I apologize for the typo.
0 Votes
+ -
@Mike062 The difference is that when you search for "security issues haunt" you come up with a lot of headlines about issues that haven't been patched. In this case, as in the ones I quoted, the issues have been dealt with. So why is this the one patch that 'haunts?'
0 Votes
+ -
That's strange I thought it was getting ready for the pending release of iOS 4 and the iPhone 4.

Over 100Mb, those are some "security flaws".
0 Votes
+ -
@hill60
The 100MB download figure doesn't say anything about the nature of the security flaws. Remember, the 100MB download isn't just a series of targeted patches which replace only the vulnerable portions of iTunes; rather, the 100MB download contains a *whole new* copy of the entire program.
@lfmorrison I'm sure @hill60 knew that and chose to exaggerate it anyway. That's just like the hundreds of Megabytes Microsoft uses to update Windows subroutines every month. Honestly, I'd prefer to see a complete re-write in most cases than a patch--a patch often simply exposes new holes.
0 Votes
+ -
All OS's designed for clients (and maybe all for servers) come with a default browser. MS is the only one to offer a choice (in Europe). I think all OS's for clients should offer a choice or none should. I would love to see Apple allow a user choice when a new MAC is purchased! Steve Jobs are you listening!
0 Votes
+ -
@rmark@... Actually, until MS abandoned IE for the Mac every Mac had both Safari and IE, before that, Netscape and IE. As for a choice, any Mac user can download any browser and are free to use them. I have Opera, Firefox, and Chrome on my Mac. No penalty for installing them and using them. Changing my default browser is a one click operation, unlike when MS 'imbedded' IE into their OS and it took a geek to use another browser and even then you were penalized by the OS. Big difference in business models between Apple and Microsoft. Apple competes. Microsoft monopolizes.
@dheady@...
The Mac version of IE was only produced from about 1997 to 2003. Safari was first released in 2003 with the release of Panther OSX 10.3.

Funny thing about IE on Windows. I've always been able to install it and it's maybe 4 clicks to change the preference - and has been the case for as long as Windows 95... Tools | Internet Options | Programs - click the Make Default button. Check the "Tell me if IE is not my default browser" (or uncheck it). In Firefox it's a similar process. Not sure about other browsers, but I'm thinking they're not too much different.

No geekiness required.
I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate! nccma cooler
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post. this thread is amazing i like your work and i appreciate you that you have share a useful stuff thanks for sharing the i shop abatwa
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post.Bookmarking now thanks please consider a follow up post. power sa shop
I think the representation of this article is actually superb one. This is my first visit to your site. Thanks a lot and keep sharing the information. Keep updating the information for all of us. Thanks ZDNet Government was launched as the brand's first industry vertical, with a mission to cater to IT professionals in the public secto I agree with your post. However, do you have any sources I can cite for my paper wheel car com bury
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix