Security Fix In iTunes 7.4
Support for a new range of iPods and the ringtone maker, these two were the highlights of the recent iTunes update. However, the 7.4 version had something else in its backpack. A fix for a highly critical flaw affecting the previous Mac and Windows version.
September 7, 2007
Apple's Steve Jobs might've left it out of the official presentation, as security fixes have become something common and don't actually raise much interest unless a serious number of users are affected. Or, as the iTunes was lucky enough to avoid becoming the target of an attack, the company chose the “be quiet and just fix it” policy.
According to Secunia, the iTunes flaw would allow anyone skilled enough to execute arbitrary code and thus compromise the user's system:
“The vulnerability is caused due to a boundary error when processing the "covr" atom in media files. This can be exploited to cause a heap based buffer overflow via a specially crafted cover art embedded in a media file,” the advisory states.
The latest security-related scandal to involve Apple happened in December 2006. Back then hackers took advantage of a QuickTime security hole that enabled a worm to attack MySpace users. As a result, infected users got their MySpace pages altered and their got redirected to a similar (but fake) site whenever they tried to log-in.