July 20, 2010

iTunes holes can provide full system access

Apple asks users to upgrade.

Secunia reports that it found a vulnerability in iTunes. The hole is described by the security company as "highly critical", which is their second highest threat level.
The level means that malware can gain full system access to the computer, but so far there is no evidence of attack in circulation.

The vulnerability is due to an error in how the program handles itpc: / / links (iTunes protocol). Especially crafted URLs using this protocol can lead to buffer overflow errors, which in turn allows execution of arbitrary code.
Apple acknowledges the error. According to Apple the error is only in iTunes 9 to Windows, while the Secunia report that all older versions of iTunes are affected, both for Mac and Windows.

The hole, however, should be sealed in the latest version.

iTunes 9.2.1 was released on Monday this week, and both Secunia and Apple urges users to upgrade.
Free Website Hosting