toggle

AAPL Stock: 562.29 ( -3.03 )

Firm reports on new iTunes security flaw

updated 11:20 am EST, Fri November 18, 2005

New iTunes security flaw


A security research company has reported on a new had been released in September). The "critical vulnerability" could allow a malicious user to remotely take over a user's computer, according to a warning issued Thursday by eEye Digital Security. The firm said that a remotely exploitable flaw exists that allows arbitrary code to be executed in the context of the logged in user. The company said that severity was "high" due to the possibility of remote code execution, but did not provide details on which versions were affected, although both Mac OS X and Windows versions are affected, according to the report.


by MacNN Staff

print
email
(9)

TAGS :

 troubleshooting

Related Articles

Recent Articles

toggle

Comments

  1. Deal

    Mac Enthusiast

    Joined: Apr 2001

    0
    11/18, 11:39am | report spam | Reply |

    That's pretty vague

    Sounds more like a scare than an informational news report.

    There are so many people that hate Apple, they will do everything it takes to drag them down (i.e. cracks in cube, nano scratches, iPod batteries, etc...)

    If this were a concerned group, wouldn't they say which version and if the newest one was affected?

    No, they want people to be concerned and not use iTunes at all. How many holes are in MS software. Ah but that's OK. Apple will fix this in no time flat and the story will grow and spread anyway.

    Next there will be a lawsuit —I want my money back, plus earnings from all iPods, plus a new computer because this one has iTunes on it.

    If the people who did this really wanted to help, they would inform Apple and then either shut up, or give us details on how to avoid the issue. These are not people trying to help. They are using it as propaganda.

  1. Deal

    Mac Enthusiast

    Joined: Apr 2001

    0
    11/18, 11:44am | report spam | Reply |

    At least...

    However, at least they didn't tell everybody how to exploit it :)

  1. zac4mac

    Mac Elite

    Joined: Oct 1999

    0
    11/18, 12:01pm | report spam | Reply |

    sales pitch

    They don't say which version, but at the bottom of the page is a link to their security software you can buy so you're safe again... yeah, right.

  1. testudo

    Fresh-Faced Recruit

    Joined: Aug 2001

    0
    11/18, 12:17pm | report spam | Reply |

    Re: pretty vague

    Of course its vague. Clear information leads to crackers and hacks before its fixed.

    Sounds more like a scare than an informational news report.

    There are so many people that hate Apple, they will do everything it takes to drag them down (i.e. cracks in cube, nano scratches, iPod batteries, etc...)

    That's right. All anti-apple news or statements are by those who hate apple. Anti-MS news, no, that's just people reporting the truth. But anti-apple news. Mac-haters. Damn them!

    If this were a concerned group, wouldn't they say which version and if the newest one was affected?

    No, they want people to be concerned and not use iTunes at all. How many holes are in MS software. Ah but that's OK. Apple will fix this in no time flat and the story will grow and spread anyway.

    Yeah, and if they made the same report about WMP, you'd be "See, more holes in MS software. Glad I use a Mac." And Apple isn't known to fix their security problems quickly. Not quickly in my view, at least. Quickly would be by tonight. Anything later is just lollygagging. And just because Apple fixes it doesn't mean people aren't still susceptible. Not everyone rushes out to install the latest version of iTunes (esp. since Apple releases a new version like every other week, be it a bug fix or just new 'features'), nor are running the latest version of OS X. But will apple fix all affected versions? Nah, they just fix their security problems in the latest version and just tell everyone to update, whether they can or not.

    Next there will be a lawsuit —I want my money back, plus earnings from all iPods, plus a new computer because this one has iTunes on it. What are you smokin'? When was the last time anyone sued over a security hole? h***, I could see people suing because Apple doesn't fill the holes, but that's different.

    If the people who did this really wanted to help, they would inform Apple and then either shut up, or give us details on how to avoid the issue. These are not people trying to help. They are using it as propaganda.

    They did inform apple. They also want people to know there is a threat out there. Why? Because if they don't, there's no inpedence(?) on Apple to actually fill the hole. For example, the huge Safari auto-download and run bug in 10.3 (you know, the one that allowed a web site to download a disk image, have it mount, launch a program on it, and install something, all without you knowing anything happened...) was open for months and months before the finder of it finally started making it public, because Apple wasn't fixing it. And even after that (and lots of workarounds and third-party hacks), Apple finally got around to partially fixing it in OS X and Safari (through the kludge of asking the user "Are you sure you want app x to open file type y" like most users are going to know whether to answer

  1. caddisfly

    Fresh-Faced Recruit

    Joined: Apr 2005

    0
    11/18, 12:44pm | report spam | Reply |

    ,,,move on

    Oh, please!

    this is pretty much a content free, useless report that is nothing but FUD and a PR attempt by the eeye. Whether it is windows or linux or os x, what information does this provide that could be *any* good to the end user?

    They scare the user, but don't give any info about how to mitigate the threat - other than to buy their superduper security gizmo. They don't even say what the threat is. Be careful, you are vulnerable!!! Oh my!

    Well, guess what? You are vulnerable every day in everything you do.

    These guys are just doing corporate PR -- see us, we protect you! we have told all these corps about all their vulnerabilites -- Now, trust us and buy our product.

    Other than the corporate pitch and get their name out there, why announce it at all? The folks doing real security, don't announce it in the press.

    see: http://www.eeye.com/html/research/upcoming/index.html

    on all their announcements....

  1. piracy

    Mac Elite

    Joined: Mar 2001

    0
    11/18, 01:06pm | report spam | Reply |

    Re: pretty vague

    testudo,

    Yeah, while the person who you were responding to was clueless, I have to take issue with your comments.

    First of all, the distinction between the historical types of exploits for Windows and the vulnerabilities in Mac OS X is an important one.

    Many Windows flaws have led to full, remote, arbitrary code execution without *any* action on the part of the user required. Granted, Microsoft has done a fantastic job recently, in the last couple of years anyway, addressing security issues and fundamental shortcomings (enabling a firewall by default has gone a long way), but no such vulnerability has existed to date on Mac OS X. Sure, there have been vulnerabilities in services that are represented by open source projects such as apache and ssh, but the vast, vast majority of Mac OS X systems in use will never even have these services enabled. In a server or enterprise setting where the services are used, the vulnerabilities in open source services usually represent nebulous theoretical exploits that are still far from being exploited in the wild.

    The intense scrutiny and peer review of the open source components of Mac OS X, which represent almost all of Mac OS X's possible network-exposed services, means that even if there is a delay in Apple (or Red Hat... or IBM... or Sun...) releasing an official update, chances are, the vulnerability hasn't actually been exploited in the wild and represents only theoreticals, gleaned from examining code. The same is not true for Windows, where when vulnerabilities are discovered, it's usually *because* they're already being exploited, because it has required application-specific reverse engineering.

    Further, Apple, as a stark contrast to other commercial and free *NIXes that are out there actually provides a real, production OS usable by normal human beings. This is due to many factors, and in no small part the quality assurance that goes into testing each update (and if people think *Apple* introduces a lot of problems with updates, well, you'd be in for a rude awakening on other OSes). Overall, Apple's quality control is nothing short of stellar. This quality control translates into a slight delay in rolling out updates to their products, whether they be open source or otherwise.

    Cont...

  1. piracy

    Mac Elite

    Joined: Mar 2001

    0
    11/18, 01:07pm | report spam | Reply |

    Re: pretty vague

    ...Cont

    The vulnerability in question isn't even public, and there is no logical reason to assert that Apple must have a fix ready today.

    I thought you were relatively knowledgeable from your post, but then I got to your rant about Safari, and that showed a level of ignorance from someone who otherwise appears to be knowledgeable that I do not often witness. AFTER the fix, i.e., the application notification dialog, this is NOT an exploit in the default configuration. It does not matter whether or not the user knows how to answer the question: it requires specific and explicit action on the part of the user. BEFORE the fix, it certainly was an exploit, as clicking a link could lead to a scenario where arbitrary code could be executed on the machine with the user's level of privileges, which, with the old /Library/StartupItems exploit, could mean root privileges on the next boot. But when the user is warned that they're downloading an executable application, there is NOTHING more the computer can do. It's not a partial fix, and it's not a kluge. It's either break fundamental properties of the OS, or tell the user "Hey, you're downloading something that could run on your computer. Are you sure you want to do this?"

    In closing, this iTunes vulnerability probably requires the user visit a malicious web site, specifically designed to exploit the vulnerability, so in other words, in this stage, it's nothing that would or even could affect any iTunes user in the world of reality. iTunes will be fixed, and you can complain all you want.

    And it's "impetus", by the way.

  1. testudo

    Fresh-Faced Recruit

    Joined: Aug 2001

    0
    11/18, 02:42pm | report spam | Reply |

    Re: pretty vague

    AFTER the fix, i.e., the application notification dialog, this is NOT an exploit in the default configuration. It does not matter whether or not the user knows how to answer the question: it requires specific and explicit action on the part of the user. BEFORE the fix, it certainly was an exploit, as clicking a link could lead to a scenario where arbitrary code could be executed on the machine with the user's level of privileges, which, with the old /Library/StartupItems exploit, could mean root privileges on the next boot. But when the user is warned that they're downloading an executable application, there is NOTHING more the computer can do. It's not a partial fix, and it's not a kluge. It's either break fundamental properties of the OS, or tell the user "Hey, you're downloading something that could run on your computer. Are you sure you want to do this?"

    I guess it depends on which Safari bug you're talking about. The one discovered where people could run a shell script right from a web-site, or the similar instance of visiting a web-site which automatically downloaded the disk image, and then launched the software that was housed on it.

    The disk images were auto-mounted because Apple had just called those files "Safe" for auto-opening after download. Why? Who knows. Then again, I'm not sure why any file is set to auto-open on download (its one of the first things I turn off in any browser, irritates the h*** out of me). But then after the image is downloaded, opened, and mounted, the web-site basically gets Safari to launch a file on that disk image.

    How in the h*** does anyone say Apple cares about security when there's a gaping hole in the browser that let's that happen? This is where using a single code base for various tasks causes issues (just like with IE in windows). WebCore is used not only for safari, but for Help, and a boatload of other things. The help authors wanted to be able to launch things from Help, so they added that functionality to WebCore, without considering how it could affect other areas of the OS. That's the kind of thing MS gets killed for.

    But my point really on all that was how long it took apple to even come out with a partial fix (I know when they first released a fix, it only fixed part of the security issues, other flaws were still present). It took several months, at least.

    Finally, on this point: AFTER the fix, i.e., the application notification dialog, this is NOT an exploit in the default configuration. It does not matter whether or not the user knows how to answer the question: it requires specific and explicit action on the part of the user. Well, this is better? The way I'm interpreting this is that you're saying that since now its up to the user to say it's OK or not to open some file, there's no longer a security issue. That's not true. If a user doesn't know what to answer, or why there's a concern, th

  1. Deal

    Mac Enthusiast

    Joined: Apr 2001

    0
    11/18, 04:57pm | report spam | Reply |

    There is a mix

    Of good knowledge and (lets just say other knowledge) in this thread.

    I should have looked farther before posting what I did (I'm just so sick of people kicking Apple—first when they were down and now that they're up they kick them harder).

    Good catch on the "product for sale", I missed that and it changes the spin on the report completely.

    The main issue here is (other than the product for sale) they don't help at all. I realize you don't want to give hackers info, I even mentioned that in my post (if you cared to read it). You report it to the company so they can fix it or you offer a possible solution/work around. Otherwise they should shut up.

    To say that was "clueless" is pretty clueless in its own right but these threads are full of that.

    The catch that they are selling a product puts this whole thing into the catogory of the supposed Trojan security flaw that surfaced about OS X some time back (that flaw wasn't only directed at Safari). It's not even real news, its created to make a profit.

    If somebody gives you a script that wipes your HD, labels it a gif and you run it, that's your fault.

    I wonder how many of these security programs these companies sell?

    Testudo—If you don't think Apple gets slammed and sued for the stupidest things, you are blind! Are you one of those hoping for part of Apple's iPod profits because your nano is scratched? I highly doubt this company wants Apple to fix the bug if they are waiting to make a profit off of it. They won't even say which versions?! Stupid article, stupid news.

    Piracy—Which actual part is "clueless"? This has to mean I'm wrong. I made several points: They don't say which versions, They don't help, ZDnet will write a huge negative article about it, it's probably a pointless little flaw that Apple will have fixed quickly (if they haven't already), there will be a whole bunch of PC bigots in our tech department that dump on Apple because of it and it will give the security department a reason to not let people use iTunes. Please tell me, what is incorrect. If I'm clueless...

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

iHome iW2 AirPlay speaker

iHome generally isn't known as a luxury brand when it comes to audio, but it is prolific -- the company's docks and speakers are every ...

Logitech Ultrathin Keyboard Cover

One of the iPad's main weaknesses has always been productivity. It's not a question of apps; while it has taken a little time for a na ...

Logitech UE Air Speaker

If maybe a little more slowly than Apple would like, AirPlay is becoming a staple of the wireless speaker market for iOS devices. The ...

toggle

Most Commented

 

Popular News