iTunes 10.7 Update: Heavy On Security Fixes, Short On Details

Yesterday, Apple released an updated version of their popular media player and mobile syncing software, iTunes 10.7. The update adds new features (like support for upcoming iOS 6) and fixes security vulnerabilities.

I must admit, I pretty much ignored Apple’s email about this update at first. After all, iTunes is a media player. Not really your typical business critical software, and not something I see attackers target very often. That said, it’s important to update all of your software, so I took a peek at Apple’s alert.

Wow!

According to Apple’s security bulletin, iTunes 10.7 fixes over 160 different vulnerabilities. I don’t think I’ve ever seen a security update list so many CVE numbers for one patch.

Apple’s alert doesn’t describe these flaws in any detail, probably because there are just too many to cover. However, they do characterize the majority of the flaws as memory corruption issues in Webkit. Hackers typically exploit memory corruption flaws to either crash a program or execute code on your computer with your privileges. The only question that remains is how attackers might trigger these iTunes vulnerabilities. Apple doesn’t say, but based on past iTunes issues, I suspect that if an attacker can entice you to a special URL within iTunes, or can trick you into running a maliciously crafted media file, they could exploit many of these flaws to execute code on your computer, potentially gaining complete control of it (depending on your privileges).

In short, if you use iTunes on any platform, you should download and install 10.7 as soon as possible. — Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

Trackbacks/Pingbacks

  1. Apple Posts Security Updates for OS X, iOS, and Safari | WatchGuard Security Center - September 20, 2012

    [...] updates to fix many vulnerabilities in OS X, iOS, and Safari (Mac version only). Like the iTunes patch from last week, these updates fix an unusually large number of vulnerabilities. For instance, the [...]

  2. Apple Posts Security Updates for OS X, iOS, and Safari « microreksa - September 21, 2012

    [...] updates to fix many vulnerabilities in OS X, iOS, and Safari (Mac version only). Like the iTunes patch from last week, these updates fix an unusually large number of vulnerabilities. For instance, the [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,518 other followers

%d bloggers like this: