Apple plugs security hole in iTunes

Flaw, described as "highly critical" by Secunia, could let an attacker sneak into a system or cause the music software to crash.

Dawn Kawamoto
Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Apple Computer has patched a flaw in iTunes that could open the door to a remote attack on a person's computer.

The fix was released as part of the company's iTunes 4.8 update. Earlier versions of the music software have a vulnerability within MPEG-4 file parsing, Apple said in a security advisory. People who access a malicious MPEG-4 file could trigger a buffer overflow exploit, which could then allow an attacker to gain remote control of their computer without their knowledge or crash iTunes.

"This is considered highly critical because it doesn't require significant user interaction," said Thomas Kristensen, chief technology officer at Secunia, which released an advisory on the security hole on Tuesday. "If you visit a malicious Web site and have an MPEG-4 data stream handled by an iTunes application, you could be affected."

The iTunes update is designed to improve the validation checks that are used when MPEG-4 files are loaded. It is available for Mac OS X, Microsoft Windows XP and Microsoft Windows 2000.

Apple's move follows the release last week of 20 fixes for holes in its Mac OS X operating system software.

The company plugged an earlier hole in iTunes in January in its version 4.7 update to the software, fixing a flaw in the handling of playlists, Kristensen said. That earlier vulnerability could also be exploited to terminate iTunes and execute arbitrary code.