Security Vulnerability in iTunes

Posted by: Arik Hesseldahl on November 18, 2005

How secure is the iTunes software that goes hand-in-hand with the iPod? Apparently there are some issues about which those who use iTunes on Windows should be concerned. Computer security firm eEye is working on publishing the details of a vulnerability that came to light Thursday. Details about the exact nature of the vulnerability are sketchy eEye hasn’t gone into that level of detail as yet.

The vulnerability has come to light only a few days after another security firm iDefense found a vulnerability in iTunes version 5 for running on Windows XP and Windows 2000. (The current version is 6.0.1). That vulnerability, which has been fixed, concerns the way the program uses a helper application.

Marc Maiffret, eEye’s Chief Hacking Officer (how cool a title is that?) is one of the people who helped discover the Code Red worm in 2001. He tells me that Apple has confirmed receipt of the information on the vulnerability. But there’s no comment on the issue from Apple.

The firm describes the vulnerability as “a remotely exploitable flaw” allows arbitrary code to be executed in the context of the logged in user.

There was apparently also some confusion about whether iTunes on the Mac was affected. A story on Cnet which initially said it was affected, was corrected about four hours after it was first published saying eEye was still testing to see if the Mac OS version is affected. Maiffret didn’t comment on that aspect.

Either way, Apple’s usually pretty good about issuing patches that fix these things. eEye says it won’t publish the exact details of the vulnerability until Apple issues a patch.

TrackBack URL for this entry: http://blogs.businessweek.com/mt/mt-tb.cgi/