eEye Flags More iTunes, QuickTime Flaws

Vulnerabilities in Apple's popular digital media products could put millions of Windows and Mac users at risk of code execution attacks.

Security flaws in Apples popular digital media products are beginning to add up.

Researchers at eEye Digital Security have pinpointed two high-risk vulnerabilities in iTunes and QuickTime that could put millions of Windows and Mac users at risk of code execution attacks.

Aliso Viejo, Calif.-based eEye issued two alerts on its upcoming advisories Web page to warn of heap overflows and integer overflows in the two Apple products.

Apples iTunes is a wildly popular online media service that sells music downloads and QuickTime is the companys flagship media player.

/zimages/3/28571.gifClick here to read about more bugs in Apples iTunes and QuickTime media players.

eEye said the vulnerabilities affect QuickTime/iTunes on Windows NT, Windows 2000, Windows XP and Windows Server 2003. Mac OS X users are also vulnerable to the code execution attacks.

Apple does not comment on potential security vulnerabilities in its products until a fix is available. eEye only releases basic information on the existence of the bugs but withholds technical details until a patch is ready.

In the meantime, users are urged to avoid clicking on untrusted media files.

The latest flaw discoveries come at a sensitive time for Apple. The company is under intense scrutiny after the recent release of exploit code for a Safari browser flaw and the discovery of two pieces of malware affecting Mac OS X users.

/zimages/3/84833.gifDo your resources meet and defeat every cyber threat? Keep your systems operational as they defend against a variety of threats. Find out how on March 21 at 4 p.m. ET, live at Sponsored by Symantec.

On March 1, Apple shipped a Mac OS X security update with patches for more than a dozen security vulnerabilities. The monster update included five patches for Safari, including an "extremely critical" flaw that could cause remote code execution attacks if a user simply viewed a maliciously rigged Web page.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.