Pair of Apple Products Leaves Sour Taste

By Ryan Naraine  |  Posted 2005-11-28

Researchers at eEye Digital Security have taken a bite out of two popular Apple Computer Inc. products, flagging two critical vulnerabilities in the iTunes and QuickTime applications.

The flaws, which put millions of Windows users at risk of code execution attacks, remain unpatched.

Steve Manzuik, security product manager on eEyes research team, said the newest version of iTunes, which was released by Apple earlier this month, contains the vulnerability.

eEye, of Aliso Viejo, Calif., has posted two brief notices on its Web page for upcoming advisories warning that the flaws carry a "high risk" label.

"These vulnerabilities require that the user clicks on a link and launches a media file. But once theyre exploited, we can run pretty much any piece of malicious code on the box," Manzuik said.

eEye is still running tests against Apples Mac OS X operating system. As per policy, Apple, of Cupertino, Calif., does not comment on potential security vulnerabilities in its products until a fix is available.

Manzuik said Apple acknowledged receipt of the flaw reports, which included sample proof-of-concept exploit code. In all, eEye has flagged three separate code execution flaws in the two products.

The discoveries come just weeks after Apple released a fix for three gaping security holes in QuickTime.

Manzuik said all the vulnerabilities were discovered in the way the two software products execute certain files. "The class of flaw would be considered similar, but they are three separate issues," he said.

Manzuik said it is surprising—and disappointing—that users tend to ignore serious bugs in desktop applications such as digital media players. "Media player flaws always fly under the radar, but thats where the malicious hackers are looking for vulnerabilities," he said. "A lot of users can be tricked into opening files. These are very serious flaws."

Ryan Naraine is a senior writer for Ziff Davis Internet.

Rocket Fuel