Google helps close 163 security vulnerabilities in iTunes

Google helps close 163 security vulnerabilities in iTunes

Summary: Google has had a helping hand in identifying some of the 163 vulnerabilities that were closed in the latest version of iTunes released with the launch of the iPhone 5.


Apple's unveiling of its new, overhauled iTunes has been touted by the company as its way of "going back to our roots with an incredibly clean design," but underneath the shiny veneer there are also a number of security vulnerabilities that have been patched — 163 of them.

In a rather vague security bulletin released by the company today, Apple listed the vulnerabilities that affect WebKit, the open-source rendering engine that powers iTunes. iTunes has been hit by WebKit flaws in the past, with Apple previously making about 40 fixes for iTunes 9.2, most of which were WebKit related.

As WebKit is also used by Google Chrome, meaning that any vulnerabilities discovered by Google ultimately also benefit Apple and vice versa. Google appears to have done most of the ground work for Apple, however; Google's security teams found 74 vulnerabilities, while Apple's found 26. The remainder were found by other security groups and individual contributors.

The vulnerabilities mean that if users are tricked into visiting a specially crafted website, it can force iTunes to close, or worse, execute arbitrary code that could allow an attacker to take control of the victim's computer.

Apple has not listed which versions of iTunes are affected by the vulnerabilities.

Topics: Security, Apple, Google, iPhone, Malware

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Isn't Android using webkit too?

    So how is Google going to patch the webkit on Android?
    • wow

      do you not have basic understanding?
      dresky - take out ya nerd sticks and lets nerd fap
  • WebKit is related to Apple Safari and not with Apple iTunes.

    So, it is strange that your article does not mention Safari nor Mobile Safari at all.
    This is because closing security vulnerabilities in WebKit will benefit Safari more than iTunes.
    • iTunes uses WebKit

      Interesting thoughts, sidic.

      Safari is yet another application that uses WebKit, but Apple's advisory (linked in the article) was -specifically- for iTunes (WebKit is a core part of how iTunes displays content). Safari is indeed be prone to the very same vulnerabilities, but Apple has previously released updates addressing these (see for example).

      This beggars the questions, why has Apple not picked up more vulnerabilities since it has at least three applications which are vulnerable, and given that it knew about them months before now, why did it choose not to provide users with patches to protect themselves?

      Hope that helps! =)

      Michael Lee (Mukimu)
  • I tunes is easy to secure.... de-install it.

    Since it never has worked decently and always is a security leak, why bother with the apple junk code.
    Reality Bites
    • The same goes for Visual Basic.

      But people still use it.
      I guess you gotta patch what people use, and not wish for more secure software.
  • not so

    google is getting your data and saleing it to other companys
    • oh dear

      are you still here? and your relevant point is...?
  • OpenSource meaning ??

    Hi :)
    What does OpenSource mean?

    I thought it meant a collaborative development model where the work done by companies and individuals work benefits all companies and individuals using the product? Sharing is probably a difficult concept to grasp.

    The advantage is that if someone else spots a problem then anyone can work on it and then everyone gets the benefit.

    That means the number of devs that can work on the project is not limited to the devs working in a single company. It also prevents any single company from re-packaging the product and claiming that it's new and then forcing people into buying the 'new' product in order to continue getting the functionality. While that sort of thing might be attempted, people could respond by continuing to use the version that is still maintained by the other companies and individuals.

    It is a bit cheeky if one company refuses to put any work in and then claims 'their' product is hugely improved!! I think that is what the article was pointing out.
    Regards from
    Tom :)