WebKit security flaws haunt Apple's iTunes

WebKit security flaws haunt Apple's iTunes

Summary: The vulnerabilities could be exploited to launch remote code execution attacks if a user simply opens an image file or surfs to a rigged Web site.

SHARE:

Apple has shipped a critical security patch for its iTunes media player to fix several gaping security holes that expose Windows users to hacker attacks.

The vulnerabilities could be exploited to launch remote code execution attacks if a user simply opens an image file or surfs to a rigged Web site. The update applies to Windows 7, Windows Vista and Windows XP machines.

In all, the new iTunes 9.2 fixes 40 documented vulnerabilities, most affecting the WebKit rendering engine.   The WebKit vulnerabilities are the same that affected Apple's Safari browser.

Here are the details on the iTunes vulnerabilities:follow Ryan Naraine on twitter

  • ColorSync (CVE-2009-1726) -- A heap buffer overflow exists in the handling of images with an embedded ColorSync profile. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of ColorSync profiles.  This issue affects Windows 7, Vista, XP SP2 or later.
  • ImageIO (CVE-2010-1411) -- Multiple integer overflows in the handling of TIFF files may result in a heap buffer overflow. Opening a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution. The issues are addressed through improved bounds checking.  Affects Windows 7, Vista, XP SP2 or later.

Topics: Hardware, Apple, Microsoft, Mobility, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

45 comments
Log in or register to join the discussion
  • As if we needed another reason to avoid iTunes...

    Shoddy Apple programming strikes again!
    ericesque
    • RE: WebKit security flaws haunt Apple's iTunes

      @ericesque
      You know... It's pretty hard to make anything that works right on Windows, and if Apple can't do it, likely nobody can.
      BenInBlack
      • RE: WebKit security flaws haunt Apple's iTunes

        @BenInBlack : ACTUALLY ITUNES IS BY FAR, BY FAR THE WORST APPLICATION EVER, EVER WRITTEN FOR WINDOWS (WHEN RANKED BY SECURITY FLAWS)!!! APPLE WANTS SECURITY FLAWS IN WINDOWS AND I AM CERTAIN THAT THEY KNOW A LOT MORE EXIST IN ITUNES!
        rmark@...
        • RE: WebKit security flaws haunt Apple's iTunes

          @rmark@... And if you want iTumes on your computer, then you are asking for hackers and malware to have your way with your data and any personal information. ACTIVEX as a technology due to poor developer testing is the second most unsecure. Also, Apples is the worst at how long it takes them to fix security issues with its software.
          rmark@...
      • RE: WebKit security flaws haunt Apple's iTunes

        @BenInBlack Apple's inabilities are it's own.
        rtk
      • O RLY...?

        @BenInBlack
        I've got plenty of software on my Windows machines that works right. And NONE of it has an Apple logo.

        Maybe the whole point of Apple's Windows based software efforts is designed to lure you into buying a Mac. After all, iTunes, Quicktime and Safari all run better in their native environment. In other words, Apple's programmers make the Windows based software suck on purpose. "Oh dear, your system got PWNED? Sorry to hear that. Get a Mac - it's safe."

        Gotta wonder exactly how many of these vulnerabilities exist on the OSX versions...
        Wolfie2K3
  • This wouldn't happen if they didn't tie their browser to their media player

    Apple should have written a different rendering engine for iTunes, it should not embed Safari into iTunes. iTunes has 90 percent marketshare and this is Apple's attempt to ensure that we don't use anything but Safari. That is anti-competitive. I should be able to remove Safari from iTunes and have it run just fine.

    Oh, wait, that is only the case when it happens to IE and Windows. Right.

    Cue the double standards...
    NonZealot
    • RE: WebKit security flaws haunt Apple's iTunes

      @NonZealot
      Oh please.
      First of all, why should Apple not reuse code? Seems like a great idea to me.
      Second, they did not embed "Safari" into iTunes - they use the WebKit. WebKit is a separate open-source project. Safari is Apple's closed product that also happens to use WebKit.
      No double standards here, NZ. See ya.
      rossdav
      • Yes, there is a HUGE double standard

        @rossdav@...
        [i]First of all, why should Apple not reuse code?[/i]

        Why shouldn't MS reuse code? If they have a great HTML rendering engine, why not reuse it throughout Windows?

        Cue the double standards...

        [i]Second, they did not embed "Safari" into iTunes - they use the WebKit.[/i]

        Likewise, MS never embedded IE into Windows, they reused Trident, the rendering engine.

        Cue the double standards...
        NonZealot
      • RE: WebKit security flaws haunt Apple's iTunes

        @rossdav@... Steve was right about cross platform programs. Ballmer should ban iTunes from Windows due to it's overall crappiness and save us all from Apple's piss poor programming.
        rtk
      • RE: WebKit security flaws haunt Apple's iTunes

        @rtk
        Its called Cross-platform development tools, not cross-platform programs. Your facts are mixed.

        & no body is forcing you to install iTunes on Windows
        NaderBelaid
      • RE: WebKit security flaws haunt Apple's iTunes

        @rossdav@... don't feed the troll.
        Jim888
      • RE: WebKit security flaws haunt Apple's iTunes

        @Jim888@...

        But, but... Oh dang - you're right - I'm feeding the trolls... Sorry!

        But just one more thing! :-)
        Actually I was one of possibly the few that agreed that Microsoft should darn well be able to embed a browser in their OS if they wanted to! Heck ChromeOS is going to basically be a browser/OS.
        What I objected to was that MS using their monopoly power to warp web standards so that only MS's browser *worked*. That is essentially what the European Union was getting at - I think they just went about it the wrong way (but possibly the only way available).
        rossdav
      • RE: WebKit security flaws haunt Apple's iTunes

        @NaderBelaid...
        Er.. Ok... So if I go out and buy a shiny new Apple iPhone, exactly HOW am I supposed to activate the bloody thing without having iTunes installed? Or for that matter, if I have an iPod, how do I get my media files onto it without iTunes?

        You're kinda stuck with the POS if you wanna use their devices.
        Wolfie2K3
    • RE: WebKit security flaws haunt Apple's iTunes

      @NonZealot
      Here you are again! showing how ignorant you are. iTunes built on Safari!!??? Why you are commenting on something clearly you have no idea about? Just like when you said that Mac OS X is built on PDF.
      iTunes is built on Webkit, Safari is not Webkit, its built on Webkit.
      & your comparing an Application like an iTunes with an OS like Windows??!!
      Seriously you are amusing me. When i saw the Article i knew that i'll find you commenting something funny.
      Gosh i like the success of Apple for one reason, to enjoy Its affect on you & reading your hilarious comments
      NaderBelaid
      • Links please!!!

        @NaderBelaid
        [i]iTunes built on Safari!!???[/i]

        Quote me or apologize for lying.

        [i]iTunes is built on Webkit, Safari is not Webkit, its built on Webkit[/i]

        Yes, [b]that[/b] was to trap all you double standards people who said IE was embedded into Windows. Windows used Trident. IE could always be removed.

        [i]your comparing an Application like an iTunes with an OS like Windows??!![/i]

        Yes. You got a problem with that?
        NonZealot
      • RE: WebKit security flaws haunt Apple's iTunes

        @NonZealot
        Please! by all means! Explain to me how is Safari embedded to iTunes.
        Saying that Safari is embedded with iTunes, to me is like saying that iTunes is built on Safari or the otherwise
        Now don't forget that it was you who claimed that Safari is embedded with iTunes so the responsibility of proof lies on you, So Links please!!!
        You clearly don't know whats the different between an OS and an Application don't you?
        Yet again are mixing between the both. Windows don't use Trident. Its IE thats built on Trident
        & IE wasn't removable till MS was forced by court to make IE removable. & Guess what! its still not removable, MS made to allow the user to hide it but not completely uninstall it.

        & Yes! I do have a problem with you comparing an application with an OS like Windows or any other OS. They are not the same.
        Compare Apples with Apples not with Orange

        Maan! your Apple's hate is really so fun
        NaderBelaid
      • OS-X is built on PDF! lol :D

        @NaderBelaid Read it here from WWDC 2003 where Apple blew junks touting it's slower PowerPC chipped computers as faster than PC's. In the end, they were only faster on some things. Plus there was no real way to test the results in a comparison, because Windows did not run on PowerPC and they were testing against Intel chips without Hyper Threading and not directly against AMD 64bit procs with Hyper Transport! ....OS-X was as yet, not running on x86 platforms either!

        http://arstechnica.com/wankerdesk/3q02/wwdc-622.html

        So this isn't NonZealot speaking lies, here it is in print for your own glossy eyeballs to read! .....and weep! ;)
        i2fun@...
    • Talk about cueing double standards--are YOU ever guilty!

      @NonZealot Let's start with the fact that Safari is NOT embedded or tied to iTunes; though I will accept that the embedded browser does use Safari's SDK, they are still completely separate entities. iTunes does NOT have 90% marketshare since obviously you don't need iTunes if you don't have an i-Device. Since only about 70% of people use an i-Device, that means the number is significantly lower. This also means that Apple is NOT doing anything to force people to use Safari if they don't want to, unlike Microsoft's old tactics of going out of their way to ensure no other browser worked correctly in Windows and went so far as to make IE an integral part of the OS--something Apple hasn't come close to even now. I'm not saying Microsoft is still doing this, but you can still see allegations where Microsoft is trying to make its software the de-facto and ISO standard in world-wide computing.
      Vulpinemac
      • RE: WebKit security flaws haunt Apple's iTunes

        @vulpine@... Many people use iTunes for other things than using iDevices. I use it for podcasts on Windows. Lousy application but unfortunately that is the best place for me to get what I want.
        kdjkdj@...