“A critical vulnerability, found in some versions of Apple Computer’s popular iTunes, could enable attackers to remotely take over a user’s computer, according to a warning issued Thursday by a security research firm,” Dawn Kawamoto reports for CNET News. “The discovery of this flaw comes days after Apple issued its security update for iTunes 6 for Windows. This flaw existed on the earlier version of iTunes 6 for Windows and was not addressed by the newest security update, according to a warning issued by eEye Digital Security.”
“After eEye mistakenly posted a note on its Web site saying the iTunes flaw affected ‘all operating systems,’ the security firm updated its warning to indicate that the flaw had been found only on the Windows operating system so far,” Kawamoto reports. “However, eEye is now testing whether the flaw also affects iTunes running on Mac operating systems. Apple iTunes 6 for Windows, as well as the previous version, are affected by the flaw, said Steve Manzuik, product manager at eEye. The flaw enables malicious hackers to launch arbitrary code remotely, once a user clicks on a malicious Web site link or opens a malicious e-mail, Manzuik said.”
Full article here.
Advertisements: The New iPod with Video. The ultimate music + video experience on the go. From $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.00.
Related articles:
Security flaw discovered in some Apple iTunes versions – November 18, 2005
Don Q., I guess shipwithsails doubt comes rather from “The flaw enables malicious hackers to launch arbitrary code remotely, once a user clicks on a malicious Web site link or opens a malicious e-mail, Manzuik said.”
ONCE a user click on a malicious Web site or opens a malicious e-mail?
And how this is an iTunes NEWLY introduced vulnerability to swiss-cheese laughable insecure Windows?
The problem actually is “… the flaw could allow an attacker to create a way for an alternate program to be initiated by iTunes.”
Sorry Windows users but the problem is – AGAIN – rather a Windows issue, or inability to protect itself. What iTunes failed is to understand how fundamentally weak Windows is and that iTunes has to take additional protection steps in place of the operating system that fails users abysmally on security.
Essentially, iTunes cannot *trust* Windows and *obey* the OS requests to run an helper application. The patched version will reply to Windows: “sorry pal, you are unreliable. What do you think you are? OS X? UHAHHAHAHAHAHAUH. Let me explain the user in control what you are trying to make me do and let’s see who is in command here, you OS Windows blockhead! “
I was wondering the same thing as others here. is it an iTunes vulnerability if it requires clicking a link or a ‘malicious email’.
I would guess IE for windows, or Outlook as the culprits, but its not specified in the linked articles.
Thanks for the kind words. I’m glad some of you feel the same way.
Bill,
I didn’t post any pictures, that was Anim8tor.
Brad T,
There is an exception to every rule. Good luck with the hot chicks.
I got doubly lucky in that the hot chick I get to make out with is the same one who introduced me to Macs.
Anim8tor,
I just checked out the pics.
Nice. Don’t let Bill tell you otherwise.
I saw at least 3 faces.
” width=”19″ height=”19″ alt=”tongue wink” style=”border:0;” />
Thanks for sharing. I was at the Houston Galleria Apple Store this morning, it is always a blast.
~M
I seriously doubt it effects OSX. First you need to get through the firewall and then you would need the admin password for anyone to change anything. So right there any hacker trying to get through iTunes would be stopped dead in there tracks. And if you have a router that is configured properly and tested at GRC.com you are probably even safer.
John,
Good points, also let’s not forget that as compartmentalized as OS X is, any attack would only make changes on the active account, unless the root was active (this is at least my understanding, anyone with UNIX expertise might be able to clarify).
~M
it’s true us macheads do get to make out with all the hot women and of course actually make something with our computers instead of having to fight it before anything can be done with it.
ewww… you make out with your computer.
Mozfan,
I did notice the time difference, and can’t explain it. The note took ~1 minute to type. In that time, nothing appeared in the Posts section, only after the refresh after my note posted, so likely it’s been a server problem at MDN’s end. Haven’t people been saying that the site’s been real slow lately? I’ve usually had no trouble down here in Sydney.