The Latest in IT Security

Security patch for iTunes fills a whopping 79 holes.

12
Oct
2011

Apple has just released iTunes v10.5 in preparation for the impending release of their latest operating system iOS5. The patch not only includes support for iCloud and wireless syncing, but importantly contains a slew of security fixes for the Windows version of the ubiquitous media player.

The patch fixes 79 vulnerabilities of which 73 are within WebKit, the HTML rendering engine which powers iTunes and used in other popular programs such as Safari and Google Chrome. Since fixes are also applied to WebKit via Google’s Vulnerability Rewards Program, names like Sergey Glazunov (notable for his work on Google Chrome) also appear in the list of contributors.

The patch follows a string of high profile security updates for programs such as Chrome and Flash Player, all of which indicate that some of the world’s largest software companies are treating security, both of their system and of their users, with renewed zeal after 2011 delivered a string of high profile hacks and data breaches.

For existing users of the program, iTunes will automatically update to the latest version or alternatively the patch can be manually downloaded from http://support.apple.com/downloads/.

 

Below is a list of significant changes, while full details of the update can be found here.

Other than the WebKit fixes, the following vulnerabilities were patched:

  • A memory corruption issue existed in the handling of string tokenization. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006.
  • An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. This issue does not affect OS X Lion systems.
  • A buffer overflow existed in the handling of audio stream encoded with the advanced audio code. This issue does not affect OS X Lion systems.
  • A buffer overflow existed in the handling of H.264 encoded movie files. For OS X Lion systems, this issue is addressed in OS X Lion v10.7.2. For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006.
  • A heap buffer overflow existed in ImageIO’s handling of TIFF images. This issue does not affect OS X Lion systems. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8.
  • A reentrancy issue existed in ImageIO’s handling of TIFF images. This issue does not affect Mac OS X systems.

Leave a reply


Categories

SUNDAY, OCTOBER 22, 2017

Featured

Archives

Latest Comments

Social Networks