Apple Fixes iTunes Security Flaw

The company releases an update for iTunes that patches a "highly critical" vulnerability in the media player.

Along with introducing a slew of new hardware and software on Tuesday, Apple Computer Inc. also quietly released an update for iTunes that fixes a serious security vulnerability found in both Windows and Mac OS X versions of the media player.

The update, iTunes 4.7.1, patches a bug in the way iTunes handles the common .m3u and .pls playlist files. A buffer overflow that occurs when a user attempts to play one of these files—often exchanged over the Internet as a way of organizing music tracks—can crash the player and execute malicious code on a users system, company officials said.

The vulnerability, which merited a "highly critical" rating from independent security research firm Secunia, affects Windows XP, Windows 2000 and Mac OS X systems. Apple security information and updates can be found on Apples Web site.

Besides the security fix, iTunes 4.7.1 also adds shuffle and photo features for the iPod, as well as performance improvements.

/zimages/5/28571.gifClick here to read about Apples new flash-based iPod shuffle and other products announced at Macworld.


ITunes is Apples desktop interface for its industry-leading iPod music player, and is widely used on both Windows and Mac systems. The program is also the only way for users to interact with the popular iTunes Music Store.

Media players have recently become a key focus for security researchers and attackers alike. For example, researchers recently discovered two Trojans making the rounds on peer-to-peer networks disguised as Windows Media Video files and infecting users via Windows Media Players new anti-piracy features.

The player appears to be downloading a license for a DRM-protected file, but in fact it downloads more than a dozen spyware and adware applications onto the users PC, making thousands of registry changes, according to Panda Software.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.