This week in security

The new music software includes a "MiniStore" window, which provides recommended links to Apple's music download service when listeners click on songs in their personal playlist, including songs that haven't been purchased from the iTunes store.

To provide those recommendations, the software sends information about the selected song, such as artist, title and genre, back to Apple. But the software also transmits a string of data that is linked to a computer user's unique iTunes account ID, computer experts have found. Because iTunes users typically sign up for the music store with an e-mail address and a credit card number, the account ID number could in theory be linked to that information as well as a customer's purchase history.

Apple also warned about serious security flaws in QuickTime, saying that vulnerabilities in the media player put computers running Windows and Mac OS X at risk of being commandeered by an outsider. An attacker could exploit the flaws by tricking the user into opening a malicious file.

Apple released QuickTime 7.0.4 to address the vulnerabilities. The French Security Incident Response Team, a commercial security monitoring and research outfit, described the problems as "critical," its highest risk rating.

Meanwhile, Symantec released an update to its popular Norton SystemWorks to fix a security problem that could be abused by cybercriminals to hide malicious software. In the PC-tuning application, a feature called the Norton Protected Recycle Bin creates a hidden directory on Windows systems. The feature is meant to help people restore modified or deleted files, but the hidden folder might not be scanned during scheduled or manual virus scans.

Symantec's alert has echoes of Sony BMG Music Entertainment's recent PC security fiasco. The record label was found to be shipping copy-protected compact discs that planted so-called rootkit software on the computers that played them. The rootkit technology also offered a hiding place for malicious software.