This article is more than 1 year old
Apple patches 'highly critical' iTunes bug
Playlist peril
Apple updated its iTunes software this week following the discovery of a security bug that leaves open a way to compromise vulnerable systems.
A bug in code used by iTunes to parse .m3u and .pls playlists means a maliciously-crafted playlist (with long URL file entries) can crash vulnerable versions of the application. In the process, hostile code can be injected into vulnerable systems. This is a classic buffer overflow attack.
iTunes users are advised to update to version 4.7.1 to guard against the risk of attack. Hymn users, beware: the upgrade breaks this anti-DRM utility.
Security reporting firm Secunia rates the iTunes bug as "highly critical". Exploitations of both Mac OS and Windows machines running iTunes is possible - providing an attacker tricks a user opening a malicious playlist file with a vulnerable version of iTunes.
The vuln was discovered by Sean de Regge and is explained here. ®
Related stories
Trojans exploit Windows DRM loophole
Apple brings discord to Hymn
Unholy trio of RealOne Player holes unearthed
Windows-style security hell stalks Mac OS X? Yeah, you wish
Macworld: Spotlight, trinkets, mark-ups, and middle-class angst