iTunes 4.8 (#3): Security patch included

Though Apple initially offered sparse details about the changes made in iTunes 4.8, stating that the new release offers new Music Store features and support for transferring contacts and calendars from your computer to your iPod, the company has now posted a Knowledge Base document (#301596) detailing another important change in the update.

iTunes 4.8 patches a flaw that could allow buffer overflow in iTunes to cause a denial of service and lead to execution of arbitrary code.

Apple's description reads:

"The MPEG4 file parsing code in iTunes versions prior to 4.8 contains a buffer overflow vulnerability. Parsing a maliciously-crafted MPEG4 file could cause iTunes to terminate or potentially execute arbitrary code. iTunes 4.8 addresses this issue by improving the validation checks used when loading MPEG4 files. iTunes 4.8 is available here. Credit to Mark Litchfield of NGS Software for reporting this issue."

Resources