eEye Digital Security: two high-risk vulnerabilities in Apple’s iTunes and QuickTime

“Researchers at eEye Digital Security have pinpointed two high-risk vulnerabilities in iTunes and QuickTime that could put millions of Windows and Mac users at risk of code execution attacks. Aliso Viejo, Calif.-based eEye issued two alerts on its upcoming advisories Web page to warn of heap overflows and integer overflows in the two Apple products,” Ryan Naraine reports for eWeek. “Apple’s iTunes is a wildly popular online media service that sells music downloads and QuickTime is the company’s flagship media player.”

“eEye said the vulnerabilities affect QuickTime/iTunes on Windows NT, Windows 2000, Windows XP and Windows Server 2003. Mac OS X users are also vulnerable to the code execution attacks,” Naraine reports. “Apple does not comment on potential security vulnerabilities in its products until a fix is available. eEye only releases basic information on the existence of the bugs but withholds technical details until a patch is ready. In the meantime, users are urged to avoid clicking on untrusted media files.”

Full article here.

eEye’s Upcoming Advisories page is here.

MacDailyNews Take: Forget about the “in the meantime” stuff. Try “always,” instead. It’s just good plain sense. Always avoid clicking on untrusted media and other files.

Advertisements:
Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.

19 Comments

  1. Frankly, the efforts of all these security researchers is doing nothing more than identifying potential vulnerabilities, prior to them being exploited.

    Nobody has found a vulnerability that HAS been exploited to date. For that we should rejoice.

  2. More attention MAKES for a better product (iTunes/QucikTime) and OS (Tiger).

    I welcome this stuff. I don’t see why the Mac community is so defensive about it. As a developer, I know first hand that planning for every contingency in a highly complex OS and/or App is not going to be fool proof. The fact that more eyes (put intended) are on this, the better.

    I own AAPL and I use Macs but that doesn’t mean I am a lesser person when an opportunity for improvement is found. Perhaps some Mac heads should consider that attitude for themselves.

  3. Are you telling me its a bad idea to click on the file that has an MP3 icon but an .app suffix? Why is that? I like to click on every link I see.

    MDN word: think

    I think I should stop clicking on every file that I find on the interwebnet.

  4. I have the best security anywhere, a dedicated MacMini for my Web browsing (a cheap way to keep the web from touching the rest of the machines in my studio). Come on, I dare y’all to infect it.

    I’m waiting……. waiting……. waiting………

  5. Ok – so this is a ‘high risk’ vulnerability, we’ve also had recent ‘serious’ and ‘extremely serious’ vulnerabilities. But curiously not one single Mac in the real world has so far been affected.

    If ‘high-risk’ and ‘extremely serious’ are the appropriate terms for what has happened so far, we better have a word ready prepared for the big one.

    Might I suggest the word ‘real’. When I see a report saying that there has been an real vulnerability and that real Macs have been affected, then I’ll take it seriously. In the meantime so long as the reported vulnerabilities are only hyper-critical, or mega-serious, I’ll rest easy until a real one comes along.

  6. How many of these recent vulnerabilities have been bought and paid for by Microsoft as part of a strategy to mask the incredible number of viruses and security issues they have?

    If the logic of these arguments is to not buy a Mac because of these minor risks, then it should be absolutely clear to the 95% of the market that is exposed to critical vulnerabilites in Windows, that should dump their PCs immediately!!!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.