New security issue in iTunes, QuickTime
updated 11:25 am EST, Mon March 13, 2006
iTunes, QuickTime security
Apple has reported a new security vulnerability affecting iTunes and QuickTime, which could lead to code being run on the system, according PC Pro. "The integer overflow and heap-based buffer overflow vulnerability affects both the Mac OS X and Windows versions of QuickTime Player 7.0.3 and 7.0.4 and iTunesj 6.0.1 and 6.0.2. An attacker who successfully exploited the flaw would be able to run code in the context of the logged in user. Most Windows users have admin accounts for day to day use with much greater privileges than Mac users, whose user accounts have limited rights and permissions." The report says that Security company eEye Digital describes the flaw as "high" in terms of severity and that Apple has yet to issue any patches for the affected software. Both are listed on the security research firm's website: EEYEB-20060307a and EEYEB-20060307b. [updated: direct links to flaws added]











What it iTunesj?
03/13, 12:17pm reply
My iTunes is at version 6.0.4. What is iTunesj?
t_hah
Mac Elite
Joined: Dec 2000
No Patch?
03/13, 12:31pm reply
Since iTunes is at 6.0.4 and this issue apparently doesn't affect 6.0.4, and iTunes is free, I would say that a patch _has_ been released.
jasong
Mac Elite
Joined: Mar 2000
RE: what is itunesj
03/13, 12:38pm reply
That is a typo (I would guess)
bgarlock
Fresh-Faced Recruit
Joined: Mar 2006
Damn...!
03/13, 12:56pm reply
"We can't report any security flaws on Apple with current software, so let's point out how older versions have flaws, and let's call them critical. If people call us on it, let's just say that there's a risk of 'many' users running these older versions, that haven't upgraded yet..."
ZinkDifferent
Fresh-Faced Recruit
Joined: Jan 2005
For Pete's Sake...
03/13, 10:39pm reply
Apple has reported a new security vulnerability affecting iTunes and QuickTime...
This is APPLE who has reported the vulnerability. And, really, I would think that the actual underlying message here is "UPDATE to the current versions of iTunes and QuickTime." Whether you want to believe it or not, there really are lazy people (both Mac and PC users alike) who simply have NOT updated. Apparently, those of us posting here are already in the clear since we have the current versions installed.
I see no valid reason to b**** at the messenger. If you want to b****, then do so at Apple.
JoeE
Fresh-Faced Recruit
Joined: Feb 2006
Re: for pete's sake
03/13, 11:56pm reply
This is APPLE who has reported the vulnerability. And, really, I would think that the actual underlying message here is "UPDATE to the current versions of iTunes and QuickTime." Whether you want to believe it or not, there really are lazy people (both Mac and PC users alike) who simply have NOT updated. Apparently, those of us posting here are already in the clear since we have the current versions installed.
Another thing on this. I guess all the whiners on this board have nothing better to do then download/install itunes updates and post messages. But most people get tired of installing a newer version of Itunes every other week (its worse then MS updates!)
And if you read the release notes, all they said 6.0.4 improved reliabily with Front Row. And I'd hazard a guess that most people don't use the over-hyped Front Row, so why would someone waste the time to download and reboot.
LouZer
Fresh-Faced Recruit
Joined: Nov 2000