iTunes update fixes security flaw

A flaw in the music software could allow a hacker to take over Windows and Mac machines remotely
Written by Andrew Donoghue, Contributor

Apple has issued an update to its iTunes music software, patching a security flaw that could open Mac or Windows machines to attack.

Announced on Tuesday, iTunes 9.0.1 arrives two weeks after iTunes 9.0, which was released on 9 September. It cleans up a buffer overflow flaw could allow an attacker to create a malicious playlist file that, if clicked on, could let the intruder crash applications or remotely run code on the computer, possibly taking it over.

"Opening a maliciously crafted .pls file may lead to an unexpected application termination or arbitrary code execution," Apple said in its security advisory.

The security patch is available for machines running Mac OS X v10.4.11 or later, Mac OS X Server v10.4.11 or later, plus Windows XP, Vista and Windows 7.

As well as patching the security flaw, iTunes 9.0.1 includes fixes for other bugs, such as the music player becoming unresponsive or unexpectedly quitting. It also improves application syncing and the browsing in the iTunes store, according to Apple.

iTunes 9 featured new functionality such as home sharing, which allows contents to be shared across a home network; more use of cover art to ease navigation; and a redesigned iTunes Store.

In August, Apple patched an arbitrary code execution flaw in the iPhone which could have allowed a hacker to control the device by sending an SMS.

Editorial standards