Apple's iTunes 8.1 plugs malicious podcast security hole

Latest version of iTunes addresses two security issues, including one that could expose usernames and passwords.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

March 12, 2009 1:47 p.m. PT

Apple on Thursday released iTunes 8.1, which includes a fix for a vulnerability that could lead to theft of usernames and passwords if a podcast containing malware were subscribed to.

The software update addresses a design issue in the iTunes podcast feature that made it possible for a subscription to a malicious podcast to cause an authentication dialog to be displayed that could prompt the user for log-in credentials to the podcast server, Apple's advisory said.

The issue affects Mac OS X v 10.4.10 and later. The issue was reported by Simon Bellwood.

iTunes 8.1 also fixes a vulnerability that could allow maliciously crafted Digital Audio Access Protocol messages to cause a denial of service on computers running Windows XP or Vista. Fortinet's Fortiguard Global Security Research team is credited with discovering this bug.