Apple plugs 57 major security holes in iTunes

If you use Apple's iTunes software -- whether on Windows or Mac OS X -- it's important that you immediately apply the latest software update.

If you use Apple's iTunes software -- whether on Windows or Mac OS X -- it's important that you immediately apply the latest software update.

Apple has shipped iTuens 10.2 as a highly-critical patch to cover a whopping 57 security vulnerabilities, some serious enough to allow hackers to take complete control of a vulnerable machine.

According to an advisory from Apple, 50 of the 57 flaws were fixed in WebKit, the open-source rendering engine used within the multimedia software.

The vulnerabilities could be exploited to launch remote code execution attacks if a user simply opens an image file or surfs to a rigged Web site, Apple warned.

follow Ryan Naraine on twitter

Most of the WebKit flaws were reported by Google's security team and TippingPoint's ZDI, a third-party broker of vulnerability information.

In addition to the WebKit issue, Apple also fixed the following:

  • ImageIO: libpng is updated to version 1.4.3 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. For Mac OS X v10.5 systems, this is addressed in Security Update 2010-007. Further information is available via the libpng website. (Windows 7, Vista, XP SP2 or later).
  • ImageIO: A heap buffer overflow issue existed in ImageIO's handling of JPEG images. Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • ImageIO: A buffer overflow existed in libTIFF's handling of JPEG encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • ImageIO: A buffer overflow existed in libTIFF's handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • libxml: A double free issue existed in libxml's handling of XPath expressions. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).
  • libxml: A memory corruption issue existed in libxml's XPath handling. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution. (Windows 7, Vista, XP SP2 or later).

The company called special attention to a man-in-the-middle attack scenario may lead to an unexpected application termination or arbitrary code execution while a target user is browsing the iTunes Store via iTunes.  This is caused by a vulnerability in WebKit.

iTunes 10.2 is being pushed out via the Mac OS X and Windows software update mechanisms.  It can also be downloaded directly from Apple's iTunes web site.