Headline Feeds
Apple (Nasdaq: AAPL) has announced vulnerabilities that affect two of its popular digital products: iTunes and QuickTime. The issues could put computer users at risk of code execution attacks.
Apple's iTunes software is used by millions of music listeners to download songs to their iPods and other MP3 players. In February, Apple announced that 1 billion songs have been legally downloaded from the iTunes Music Store.
QuickTime is Apple's flagship media player. It is comparable to RealPlayer or Microsoft's (Nasdaq: MSFT) Windows Media Player. QuickTime is becoming a more important part of the Apple equation in the iTunes age. That's because the iTunes Music Store features a selection of over 3,000 music videos, short films and hit TV shows.
Dissecting the Vulnerabilities
eEye Digital Security discovered the vulnerabilities in iTunes and QuickTime, and classified them as "critical."
The vulnerabilities allow an attacker to overwrite heap memory and execute code on the user's machine. That means an intruder could do something as benign as taking a directory of the user's files or as malicious a wiping out the entire system -- all over an Internet connection.
"Users can protect themselves by not clicking on any links in e-mails from unrecognized sources and by generally paying attention to what Web sites they are visiting. Locking down a system and not using the administrator account at all times lowers the risk but does not mitigate the vulnerability," Steve Manzuik, security product manager at eEye Digital, told MacNewsWorld.
The QuickTime and iTunes flaws are one and the same, Manzuik said, because Apple has integrated the two programs. Users who download QuickTime automatically download iTunes and vice versa.
Attacking Media Players
Media player vulnerabilities are becoming more common. Apple's iTunes was plagued with a critical vulnerability last November that could have enabled attackers to remotely take over a user's computer.
Late last year, RealPlayer posted its share of vulnerabilities; the most serious could have been exploited to compromise a vulnerable system. Just last week, a vulnerability was discovered in Microsoft Windows Media Player that could allow remote code execution.
"As much as everyone likes to beat up on Microsoft, it is harder to attack the operating system. The operating systems are getting better," Manzuik said. "The low-hanging fruit is end-users on their workstations. That's where programs like iTunes sit."
Impacting the Enterprise
Users can protect themselves by not clicking on any links in e-mails from unrecognized sources. Users can also "lock down the machine," Manzuik said, which requires the use of an administrator's account at all times. This, however, is not always practical, especially when surfing the Web.
"The potential threat does not just affect home users," Manzuik said. "A lot of people have purchased an iPod, taken it to work and installed iTunes on the computer there."
That makes it an enterprise issue that companies should keep a close eye on until a patch is released.
Apple was not immediately available for comment.
