The company releases an update for iTunes that patches a "highly critical" vulnerability in the media player.
Along with introducing a slew of new
hardware and software on Tuesday, Apple Computer Inc. also quietly released an
update for iTunes that fixes a serious security vulnerability found in both
Windows and Mac OS X versions of the media player.
The update, iTunes 4.7.1, patches a bug
in the way iTunes handles the common .m3u and .pls playlist files. A buffer
overflow that occurs when a user attempts to play one of these files—often
exchanged over the Internet as a way of organizing music tracks—can crash the
player and execute malicious code on a user's system, company officials said.
The vulnerability, which merited a
"highly critical" rating from independent security research firm
Secunia, affects Windows XP, Windows 2000 and Mac OS X systems. Apple security
information and updates can be found on Apple's Web site.
Besides the security fix, iTunes 4.7.1
also adds shuffle and photo features for the iPod, as well as performance
improvements.
Click here to read about
Apple's new flash-based iPod shuffle and other products announced at
Macworld.
ITunes is Apple's desktop interface for
its industry-leading iPod music player, and is widely used on both Windows and
Mac systems. The program is also the only way for users to interact with the
popular iTunes Music Store.
Media players have recently become a
key focus for security researchers and attackers alike. For example, researchers
recently discovered two Trojans making the rounds on peer-to-peer networks disguised as
Windows Media Video files and infecting users via Windows Media Player's new
anti-piracy features.
The player appears to be downloading a
license for a DRM-protected file, but in fact it downloads more than a dozen
spyware and adware applications onto the user's PC, making thousands of registry
changes, according to Panda Software.